Browser Hijacker or Some Ecard virus- Please Help

[Skeeve]

Hi. I was hoping you could help. When I enter www.facebook.com into my browser address the browser takes me to site identifying me as a winner of some prize. Either an Iphone or bestbuy gift card etc. Then it proceeds to not allow me to leave or exit the website through popping up a windows message. I was able to get out of it by terminating Iexplorer on Windows Task Manager. I have not tried to enter any other addresses or experiment too much. I assume I am infected. The only thing I can think back that I did wrong, was that on Valentines day I did open an e-mail I thought was an e-card to me. I did not click on anything, I just opened the e-mail. It was some trick. I don't know if it is related, I just thought I would mention it. I ran malwarebytes, spybot search and destroy and eset online scanner. They don't seem to pick it up. I have attached the results from GMER and DDS. I am going to put the DDS report in the body of this E-mail as well as a HijackThis log. Thank you in advance for your help on this.

DDS REPORT:

DDS (Ver_10-12-12.02) - NTFSx86

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.2047.578 [GMT -8:00]

AV: Windows Live OneCare *Enabled/Outdated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Chaim D\Desktop\Malware Stuff\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [soundMan] SOUNDMAN.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: powerschool.com\nyhs

Trusted Zone: turbotax.com

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156701537625

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

TCP: {1C1E47AC-000A-447C-8B6F-6C9739DD0B7A} = 216.231.41.22,216.231.41.2

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R?2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-12-6 16048]

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-7 20968]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-8-23 3712]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-7-6 151552]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]

R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2006-8-27 53168]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-7-6 19584]

S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2006-10-12 176640]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-5-3 11520]

S4 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-1-30 125304]

=============== Created Last 30 ================

2011-02-16 20:35:53 -------- d-----w- c:\program files\ESET

==================== Find3M ====================

============= FINISH: 11:28:54.72 ===============

Hijackthis Report:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:13:04 PM, on 2/16/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\Chaim D\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.cinemanow.com

O15 - Trusted Zone: *.intuit.com

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156701537625

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1E47AC-000A-447C-8B6F-6C9739DD0B7A}: NameServer = 216.231.41.22,216.231.41.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1E47AC-000A-447C-8B6F-6C9739DD0B7A}: NameServer = 216.231.41.22,216.231.41.2

O17 - HKLM\System\CS2\Services\Tcpip\..\{1C1E47AC-000A-447C-8B6F-6C9739DD0B7A}: NameServer = 216.231.41.22,216.231.41.2

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--

End of file - 8324 bytes

Attach.zip

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

[Skeeve]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

I have included the DDS report directly into the above post. I also included Hijack report in the post. I attached the Gmer and Remaining DDS reports to the post as a file attachment as per the sticky not instructions. Are you not seeing these?

[screen317]

Hi,

I would like you to update MBAM, run a Quick Scan, and post its log directly into your reply.

Then run DDS again, and post its log directly into your reply.

[Skeeve]

Hi,

I would like you to update MBAM, run a Quick Scan, and post its log directly into your reply.

Then run DDS again, and post its log directly into your reply.

Thank you. I appreciate your help. I putting the Malwarebytes log and DDs log below:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5876

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

2/25/2011 11:07:46 AM

mbam-log-2011-02-25 (11-07-46).txt

Scan type: Quick scan

Objects scanned: 159841

Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-12-12.02) - NTFSx86

Run by D at 11:08:56.28 on Fri 02/25/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.2047.1117 [GMT -8:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Windows Live OneCare *Enabled/Outdated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Chaim D\Desktop\Malware Stuff\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [soundMan] SOUNDMAN.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: powerschool.com\nyhs

Trusted Zone: turbotax.com

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156701537625

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

TCP: {1C1E47AC-000A-447C-8B6F-6C9739DD0B7A} = 216.231.41.22,216.231.41.2

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-22 64512]

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-12-6 16048]

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-7 20968]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-2-15 1405384]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-8-23 3712]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-7-6 151552]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]

R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2006-8-27 53168]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-22 136176]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-2-15 15232]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-7-6 19584]

S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2006-10-12 176640]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-5-3 11520]

S4 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-1-30 125304]

=============== Created Last 30 ================

2011-02-22 23:20:14 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-22 21:31:15 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-22 21:23:30 -------- d-----w- c:\docume~1\chaimd~1\locals~1\applic~1\Temp

2011-02-22 21:23:13 -------- d-----w- c:\docume~1\chaimd~1\locals~1\applic~1\Google

2011-02-22 21:23:07 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{84D8B12B-411B-484B-91F0-823C394D5DD9}

2011-02-16 20:35:53 -------- d-----w- c:\program files\ESET

==================== Find3M ====================

============= FINISH: 11:10:06.35 ===============

[screen317]

Hi,

Are you currently connected through a router?

[Skeeve]

Hi,

Are you currently connected through a router?

Hmm... This is my computer that I use at the school that I work. I am not sure exactly how the network is set up. I can try and find out if it will be helpful.

Are there specific questions you would like answered?

Thanks!

[screen317]

Thanks for letting me know.

Do this instead:

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[Skeeve]

Thanks for letting me know.

Do this instead:

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Thank you. I will follow those instructions tomorrow when I go to school. Do you mind if I ask you a couple of questions? If not I completely understand, your time is valuable. I am so appreciative that you are just walking me through it. I also enjoy learning about this area. I was first wondering if there was something you saw or were looking for in the above logs? Second, I was curious why you keep wanting a DDS report, are you looking for a change in something? Thirdly, What does combofix do, that the others won't or more specifically, why are you introducing combofix?

Again, if you don't have the time to answer I understand. I enjoy learning about this, and I hope that I can someday help others if I fully understand the process.

Daniel

[Skeeve]

Ok, here is the combofix log and the new DDS Log. Thanks.

ComboFix 11-02-28.02 - D 02/28/2011 14:08:49.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.2047.1406 [GMT -8:00]

Running from: c:\documents and settings\Chaim D\Desktop\Malware Stuff\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Windows Live OneCare *Disabled/Outdated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *Disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\jestertb.dll

.

((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))

.

2011-02-28 20:38 . 2011-02-28 20:38 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-22 23:20 . 2011-02-16 01:00 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-22 22:42 . 2011-02-22 22:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-02-22 21:31 . 2011-02-16 01:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-22 21:28 . 2011-02-22 21:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2011-02-22 21:23 . 2011-02-22 21:27 -------- d-----w- c:\documents and settings\Chaim D\Local Settings\Application Data\Temp

2011-02-22 21:23 . 2011-02-22 21:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2011-02-22 21:23 . 2011-02-22 21:27 -------- d-----w- c:\program files\Google

2011-02-22 21:23 . 2011-02-22 21:23 -------- d-----w- c:\documents and settings\Chaim D\Local Settings\Application Data\Google

2011-02-22 21:23 . 2011-02-22 21:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{84D8B12B-411B-484B-91F0-823C394D5DD9}

2011-02-16 20:35 . 2011-02-16 20:35 -------- d-----w- c:\program files\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 02:09 . 2010-01-01 03:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 02:08 . 2010-01-01 03:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

------- Sigcheck -------

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll

[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\qmgr.dll

[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\bits\qmgr.dll

[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\dllcache\qmgr.dll

[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll

[7] 2006-02-28 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2009-05-11 419136]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-06 65256]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-25 13524992]

"nwiz"="nwiz.exe" [2008-03-25 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-25 86016]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824]

"SoundMan"="SOUNDMAN.EXE" [2010-04-21 90112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2007-11-15 18:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]

2009-01-08 15:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]

2009-09-04 21:16 75048 ------w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2008-06-25 00:05 132392 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]

2006-08-17 19:32 17920 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]

2006-08-17 19:32 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\aol\1164583927\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2009-04-17 03:56 62760 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]

2006-03-06 22:14 497152 ----a-w- c:\program files\Logitech\G-series Software\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]

2006-03-06 22:31 1122304 ----a-w- c:\program files\Logitech\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDTray]

2009-05-11 21:16 419136 ----a-w- c:\program files\Livescribe\Livescribe Desktop\LDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-06-08 17:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]

2007-04-27 18:16 312848 ----a-w- c:\progra~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2008-06-19 17:53 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2009-04-17 03:54 87336 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 12:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-06-07 19:52 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]

2008-07-24 22:22 450560 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=2 (0x2)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"CinemaNow Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"g:\\Games\\ea games\\battlefield2\\BF2.exe"=

"g:\\Games\\Sierra\\FEARCombat\\FEARMP.exe"=

"g:\\Games\\ea games\\Battlefield 2142\\BF2142.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\aol\\1164583927\\ee\\aolsoftware.exe"=

"g:\\Games\\Sierra Entertainment\\World in Conflict - BETA\\wic.exe"=

"g:\\Games\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=

"g:\\Games\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AOL 9.0a\\waol.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"g:\\Games\\ea games\\crysis\\Bin32\\Crysis.exe"=

"g:\\Games\\ea games\\crysis\\Bin32\\CrysisDedicatedServer.exe"=

"g:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"g:\\Games\\Steam\\steamapps\\common\\nba 2k9\\nba2k9.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

"g:\\Games\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"g:\\Games\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"g:\\Games\\Steam\\steamapps\\common\\mount and blade warband - demo\\mb_warband.exe"=

"g:\\Games\\Steam\\steamapps\\common\\batman arkham asylum goty\\Binaries\\BmLauncher.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/22/2011 1:31 PM 64512]

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [12/6/2008 11:30 PM 16048]

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [4/7/2010 9:13 AM 20968]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/23/2006 9:07 PM 3712]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 4:19 PM 26120]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [7/6/2009 5:28 PM 151552]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 2:22 PM 102400]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2011 1:23 PM 136176]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/15/2011 5:00 PM 1405384]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [2/15/2011 5:00 PM 15232]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [7/6/2009 5:28 PM 19584]

S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [10/12/2006 8:30 PM 176640]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/3/2009 1:29 PM 11520]

S4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [1/30/2009 5:14 PM 125304]

.

Contents of the 'Scheduled Tasks' folder

2011-02-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-02-16 01:00]

2011-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 21:23]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 21:23]

2007-05-20 c:\windows\Tasks\MP Scheduled Quick Scan.job

- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-10 00:05]

2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{CC52C440-BCE4-44B7-8563-370673A255C3}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 12:31]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: powerschool.com\nyhs

Trusted Zone: turbotax.com

TCP: {1C1E47AC-000A-447C-8B6F-6C9739DD0B7A} = 216.231.41.22,216.231.41.2

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CinemaNowMediaManagerApp - c:\program files\CinemaNow\CinemaNowShell.exe

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-28 14:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1532298954-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:75,27,57,e0,b2,bc,41,23,ef,7a,31,94,f3,1e,f0,ad,e0,78,6b,93,2a,1e,87,

af,6a,3e,32,5b,f6,e8,66,87,d7,3a,2d,0d,eb,a2,90,bd,0a,fc,96,78,b4,30,95,80,\

"??"=hex:55,ce,01,7e,f6,36,33,f6,af,eb,af,eb,cb,e0,2f,89

[HKEY_USERS\S-1-5-21-117609710-1532298954-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:27,6e,71,78,1d,eb,33,2a,1f,60,31,a4,11,95,bb,24,4d,00,f7,ea,e4,

7e,23,83,a0,75,f1,ad,a8,65,0a,5f,80,7a,64,56,a6,46,ec,04,e8,74,80,21,89,ab,\

"rkeysecu"=hex:0d,cb,10,f8,88,aa,bf,45,d5,6a,ce,6f,95,b5,89,9f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

.

Completion time: 2011-02-28 14:13:51

ComboFix-quarantined-files.txt 2011-02-28 22:13

Pre-Run: 83,813,556,224 bytes free

Post-Run: 84,825,640,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 25478250B4264315A646EB318A611091

DDS (Ver_10-12-12.02) - NTFSx86

Run by D at 14:19:05.78 on Mon 02/28/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.2047.1372 [GMT -8:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Windows Live OneCare *Disabled/Outdated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Chaim D\Desktop\Malware Stuff\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [soundMan] SOUNDMAN.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: powerschool.com\nyhs

Trusted Zone: turbotax.com

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156701537625

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

TCP: {1C1E47AC-000A-447C-8B6F-6C9739DD0B7A} = 216.231.41.22,216.231.41.2

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-22 64512]

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-12-6 16048]

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-7 20968]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-8-23 3712]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-7-6 151552]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-22 136176]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-2-15 1405384]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-2-15 15232]

S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2006-8-27 53168]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-7-6 19584]

S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2006-10-12 176640]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-5-3 11520]

S4 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-1-30 125304]

=============== Created Last 30 ================

2011-02-28 22:07:46 -------- d-sha-r- C:\cmdcons

2011-02-28 22:05:48 98816 ----a-w- c:\windows\sed.exe

2011-02-28 22:05:48 89088 ----a-w- c:\windows\MBR.exe

2011-02-28 22:05:48 256512 ----a-w- c:\windows\PEV.exe

2011-02-28 22:05:48 161792 ----a-w- c:\windows\SWREG.exe

2011-02-28 20:38:55 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-22 23:20:14 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-22 21:31:15 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-22 21:23:30 -------- d-----w- c:\docume~1\chaimd~1\locals~1\applic~1\Temp

2011-02-22 21:23:13 -------- d-----w- c:\docume~1\chaimd~1\locals~1\applic~1\Google

2011-02-22 21:23:07 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{84D8B12B-411B-484B-91F0-823C394D5DD9}

2011-02-16 20:35:53 -------- d-----w- c:\program files\ESET

==================== Find3M ====================

============= FINISH: 14:19:26.06 ===============

[screen317]

Hi,

Hi Daniel,

I'm happy to answer your questions.

I was first wondering if there was something you saw or were looking for in the above logs?

Without going into too much detail, I'm looking for signs of infection.

Second, I was curious why you keep wanting a DDS report, are you looking for a change in something?

Yes, it's important to see how things change, especially after running our tools.

Thirdly, What does combofix do, that the others won't or more specifically, why are you introducing combofix?

I'm afraid I can't really go into specifics of that; however it is a very powerful tool that we employ to fight malware.

If you'd like to learn how to fight malware, I learned at SpywareInfo's Boot Camp.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

FCOPY::
c:\windows\$NtUninstallKB923845$\qmgr.dll | c:\windows\system32\qmgr.dll

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

[Skeeve]

Hi,

Hi Daniel,

I'm happy to answer your questions.

Without going into too much detail, I'm looking for signs of infection.

Yes, it's important to see how things change, especially after running our tools.

I'm afraid I can't really go into specifics of that; however it is a very powerful tool that we employ to fight malware.

If you'd like to learn how to fight malware, I learned at SpywareInfo's Boot Camp.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

FCOPY::
c:\windows\$NtUninstallKB923845$\qmgr.dll | c:\windows\system32\qmgr.dll

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Thanks for the help. Below are the logs you requested. By the way, are you seeing infections on the computer?

ComboFix 11-02-28.07 - Chaim D 03/01/2011 13:01:35.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.2047.1313 [GMT -8:00]

Running from: c:\documents and settings\Chaim D\Desktop\Malware Stuff\ComboFix.exe

Command switches used :: c:\documents and settings\Chaim D\Desktop\Malware Stuff\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Windows Live OneCare *Disabled/Outdated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *Disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\$NtUninstallKB923845$\qmgr.dll --> c:\windows\system32\qmgr.dll

.

((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))

.

2011-02-28 20:38 . 2011-02-28 20:38 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-22 23:20 . 2011-02-16 01:00 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-22 22:42 . 2011-02-22 22:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-02-22 21:31 . 2011-02-16 01:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-22 21:28 . 2011-02-22 21:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2011-02-22 21:23 . 2011-02-22 21:27 -------- d-----w- c:\documents and settings\Chaim D\Local Settings\Application Data\Temp

2011-02-22 21:23 . 2011-02-22 21:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2011-02-22 21:23 . 2011-02-22 21:27 -------- d-----w- c:\program files\Google

2011-02-22 21:23 . 2011-02-22 21:23 -------- d-----w- c:\documents and settings\Chaim D\Local Settings\Application Data\Google

2011-02-22 21:23 . 2011-02-22 21:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{84D8B12B-411B-484B-91F0-823C394D5DD9}

2011-02-16 20:35 . 2011-02-16 20:35 -------- d-----w- c:\program files\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 02:09 . 2010-01-01 03:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 02:08 . 2010-01-01 03:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((( SnapShot@2011-02-28_22.12.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-01 16:01 . 2011-03-01 16:01 16384 c:\windows\Temp\Perflib_Perfdata_708.dat

+ 2006-08-22 08:06 . 2006-02-28 12:00 382464 c:\windows\system32\dllcache\qmgr.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2009-05-11 419136]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-06 65256]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-25 13524992]

"nwiz"="nwiz.exe" [2008-03-25 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-25 86016]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824]

"SoundMan"="SOUNDMAN.EXE" [2010-04-21 90112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2007-11-15 18:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]

2009-01-08 15:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]

2009-09-04 21:16 75048 ------w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2008-06-25 00:05 132392 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]

2006-08-17 19:32 17920 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]

2006-08-17 19:32 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\aol\1164583927\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2009-04-17 03:56 62760 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]

2006-03-06 22:14 497152 ----a-w- c:\program files\Logitech\G-series Software\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]

2006-03-06 22:31 1122304 ----a-w- c:\program files\Logitech\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDTray]

2009-05-11 21:16 419136 ----a-w- c:\program files\Livescribe\Livescribe Desktop\LDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-06-08 17:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]

2007-04-27 18:16 312848 ----a-w- c:\progra~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2008-06-19 17:53 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2009-04-17 03:54 87336 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 12:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-06-07 19:52 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]

2008-07-24 22:22 450560 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=2 (0x2)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"CinemaNow Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"g:\\Games\\ea games\\battlefield2\\BF2.exe"=

"g:\\Games\\Sierra\\FEARCombat\\FEARMP.exe"=

"g:\\Games\\ea games\\Battlefield 2142\\BF2142.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\aol\\1164583927\\ee\\aolsoftware.exe"=

"g:\\Games\\Sierra Entertainment\\World in Conflict - BETA\\wic.exe"=

"g:\\Games\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=

"g:\\Games\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AOL 9.0a\\waol.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"g:\\Games\\ea games\\crysis\\Bin32\\Crysis.exe"=

"g:\\Games\\ea games\\crysis\\Bin32\\CrysisDedicatedServer.exe"=

"g:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"g:\\Games\\Steam\\steamapps\\common\\nba 2k9\\nba2k9.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

"g:\\Games\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"g:\\Games\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"g:\\Games\\Steam\\steamapps\\common\\mount and blade warband - demo\\mb_warband.exe"=

"g:\\Games\\Steam\\steamapps\\common\\batman arkham asylum goty\\Binaries\\BmLauncher.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/22/2011 1:31 PM 64512]

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [12/6/2008 11:30 PM 16048]

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [4/7/2010 9:13 AM 20968]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/23/2006 9:07 PM 3712]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 4:19 PM 26120]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [7/6/2009 5:28 PM 151552]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 2:22 PM 102400]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2011 1:23 PM 136176]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/15/2011 5:00 PM 1405384]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [2/15/2011 5:00 PM 15232]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [7/6/2009 5:28 PM 19584]

S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [10/12/2006 8:30 PM 176640]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/3/2009 1:29 PM 11520]

S4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [1/30/2009 5:14 PM 125304]

.

Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-02-16 01:00]

2011-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 21:23]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 21:23]

2007-05-20 c:\windows\Tasks\MP Scheduled Quick Scan.job

- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-10 00:05]

2011-03-01 c:\windows\Tasks\User_Feed_Synchronization-{CC52C440-BCE4-44B7-8563-370673A255C3}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 12:31]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: powerschool.com\nyhs

Trusted Zone: turbotax.com

TCP: {1C1E47AC-000A-447C-8B6F-6C9739DD0B7A} = 216.231.41.22,216.231.41.2

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-01 13:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1532298954-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:75,27,57,e0,b2,bc,41,23,ef,7a,31,94,f3,1e,f0,ad,e0,78,6b,93,2a,1e,87,

af,6a,3e,32,5b,f6,e8,66,87,d7,3a,2d,0d,eb,a2,90,bd,0a,fc,96,78,b4,30,95,80,\

"??"=hex:55,ce,01,7e,f6,36,33,f6,af,eb,af,eb,cb,e0,2f,89

[HKEY_USERS\S-1-5-21-117609710-1532298954-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:27,6e,71,78,1d,eb,33,2a,1f,60,31,a4,11,95,bb,24,4d,00,f7,ea,e4,

7e,23,83,a0,75,f1,ad,a8,65,0a,5f,80,7a,64,56,a6,46,ec,04,e8,74,80,21,89,ab,\

"rkeysecu"=hex:0d,cb,10,f8,88,aa,bf,45,d5,6a,ce,6f,95,b5,89,9f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2296)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-03-01 13:09:28

ComboFix-quarantined-files.txt 2011-03-01 21:09

ComboFix2.txt 2011-02-28 22:13

Pre-Run: 84,898,570,240 bytes free

Post-Run: 84,908,191,744 bytes free

- - End Of File - - DE8B2CC137D5571B1AD5242AAC6A2514

DDS (Ver_10-12-12.02) - NTFSx86

Run by Chaim D at 13:22:06.34 on Tue 03/01/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.2047.1394 [GMT -8:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Windows Live OneCare *Disabled/Outdated* {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Chaim D\Desktop\Malware Stuff\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [soundMan] SOUNDMAN.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: powerschool.com\nyhs

Trusted Zone: turbotax.com

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156701537625

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

TCP: {1C1E47AC-000A-447C-8B6F-6C9739DD0B7A} = 216.231.41.22,216.231.41.2

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-22 64512]

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-12-6 16048]

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-7 20968]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-8-23 3712]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-7-6 151552]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-22 136176]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-2-15 1405384]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-2-15 15232]

S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2006-8-27 53168]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-7-6 19584]

S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2006-10-12 176640]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-5-3 11520]

S4 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-1-30 125304]

=============== Created Last 30 ================

2011-02-28 22:07:46 -------- d-sha-r- C:\cmdcons

2011-02-28 22:05:48 98816 ----a-w- c:\windows\sed.exe

2011-02-28 22:05:48 89088 ----a-w- c:\windows\MBR.exe

2011-02-28 22:05:48 256512 ----a-w- c:\windows\PEV.exe

2011-02-28 22:05:48 161792 ----a-w- c:\windows\SWREG.exe

2011-02-28 20:38:55 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-22 23:20:14 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-22 21:31:15 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-22 21:23:30 -------- d-----w- c:\docume~1\chaimd~1\locals~1\applic~1\Temp

2011-02-22 21:23:13 -------- d-----w- c:\docume~1\chaimd~1\locals~1\applic~1\Google

2011-02-22 21:23:07 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{84D8B12B-411B-484B-91F0-823C394D5DD9}

2011-02-16 20:35:53 -------- d-----w- c:\program files\ESET

==================== Find3M ====================

============= FINISH: 13:22:26.81 ===============

[screen317]

Not currently, no. Let's run this online scan just to double-check.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Skeeve]

Not currently, no. Let's run this online scan just to double-check.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

Here are the two logs. Unfortunately I ran Eset, but I had to stop it in the middle. It picked up two infections. I will put that report first. Then I ran it again and I am attaching that log as well. Should I try entering the web address (www.facebook.com) that caused the browser to be taken over to see if the infection is still there? (I haven't done it again since we started this)

C:\System Volume Information\_restore{2753380B-CAD7-407C-9BFB-D99477876F3F}\RP1692\A0097839.exe Win32/Toolbar.AskSBar application deleted - quarantined

C:\System Volume Information\_restore{2753380B-CAD7-407C-9BFB-D99477876F3F}\RP1692\A0097840.exe Win32/Toolbar.AskSBar application deleted - quarantined

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=1

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=b17c5030d9d3da469f268ba96b56297e

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-01 10:35:46

# local_time=2011-03-01 02:35:46 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5890 16776537 100 2 78198255 78198255 0 0

# compatibility_mode=8192 67108863 100 0 1047543 1047543 0 0

# scanned=1868

# found=0

# cleaned=0

# scan_time=52

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=b17c5030d9d3da469f268ba96b56297e

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-01 11:42:10

# local_time=2011-03-01 03:42:10 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5890 16776537 100 2 78198378 78198378 0 0

# compatibility_mode=8192 67108863 100 0 1047666 1047666 0 0

# scanned=110527

# found=2

# cleaned=2

# scan_time=3913

C:\System Volume Information\_restore{2753380B-CAD7-407C-9BFB-D99477876F3F}\RP1692\A0097839.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2753380B-CAD7-407C-9BFB-D99477876F3F}\RP1692\A0097840.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=b17c5030d9d3da469f268ba96b56297e

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-02 06:00:01

# local_time=2011-03-02 10:00:01 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5890 16776537 100 2 78262443 78262443 0 0

# compatibility_mode=8192 67108863 100 0 1111731 1111731 0 0

# scanned=210014

# found=0

# cleaned=0

# scan_time=5718

Results of screen317's Security Check version 0.99.9

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Windows Live OneCare

Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install

Microsoft Windows Live OneCare Resources v2.5.2900.30

GTOneCare

Dr Watson for Microsoft Windows OneCare Live v1.0.0971.38

Microsoft Windows OneCare Live v2.5.2900.30

Microsoft Windows OneCare Live AntiSpyware and AntiVirus

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

DH Driver Cleaner.NET

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.3.4

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

Microsoft Windows OneCare Live Antivirus MsMpEng.exe

ESET ESET Online Scanner OnlineCmdLineScanner.exe

Chaim D Desktop Malware Stuff SecurityCheck.exe

Microsoft Windows OneCare Live Firewall msfwsvc.exe

``````````End of Log````````````

[screen317]

Hi,

Microsoft plans to discontinue your current antivirus since it has been superseded by the free Microsoft Security Essentials.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Windows Live OneCare

Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install

Microsoft Windows Live OneCare Resources v2.5.2900.30

Dr Watson for Microsoft Windows OneCare Live v1.0.0971.38

Microsoft Windows OneCare Live v2.5.2900.30

Microsoft Windows OneCare Live AntiSpyware and AntiVirus

Java

[Skeeve]

Hi,

Microsoft plans to discontinue your current antivirus since it has been superseded by the free Microsoft Security Essentials.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Windows Live OneCare

Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install

Microsoft Windows Live OneCare Resources v2.5.2900.30

Dr Watson for Microsoft Windows OneCare Live v1.0.0971.38

Microsoft Windows OneCare Live v2.5.2900.30

Microsoft Windows OneCare Live AntiSpyware and AntiVirus

Java

[screen317]

If you want to pay, then ESET is fine, but Microsoft Security Essentials, which I recommend highly, is free and is what I use. If you are uneasy about being without an antivirus while you transition, disconnect from the Internet during that time and you'll be fine.

[Skeeve]

If you want to pay, then ESET is fine, but Microsoft Security Essentials, which I recommend highly, is free and is what I use. If you are uneasy about being without an antivirus while you transition, disconnect from the Internet during that time and you'll be fine.

We allready have a licence for the Eset so I might as well use it. By the way, non of the programs you listed to unistall besides "Microsoft One Care" were listed in the ADD or REMOVE program section. Are they someowhere else? Like Dr. Watson I believe can be found in Windows\system32. Should I just erase that program file?

[screen317]

Hi,

My apologies for the delay. Not sure why I wasn't notified of this post.

Just do the uninstall for Microsoft One Care if you haven't already.

Do you still need help?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!