Undetectable Malware or Virus

alili · July 31, 2011

This all started a week ago. I noticed I couldn't open any of my programs without going through the whole "Open with" scenario. That puzzelled me. I wanted to play my Sims2 game, I knew it opens with Sims2 Launcher, so I clicked that. It changed all my programs to open with sims 2 launcher. I went through several days of running norton 360, deleting unused programs, checking for anything i did wrong. Nothing. Then I finally came across this site that gives you registry files you can save to a disk to repair registry files that open with virus damages. By intuition I clicked on Gateway Connect /Accelor and repaired my icon problems. Before then the malware would not let me on the internet. Internet Explorer was just a blank white screen. I had to use another computer to create the disk. The disk helped repair my registry and I had no more open with problems. For access to the internet I had to create another user on my computer. I could log on. I downloaded Malwarebyte ran some test and it found no problems. I still couldnt log on the internet from my old user acct.

The thing whenever I have my internet access turned on, I keep getting these messages:

00:51:31 turbo MESSAGE Protection started successfully

00:51:37 turbo MESSAGE IP Protection started successfully

00:53:03 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 49444, Process: services.exe)

00:58:02 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59161, Process: services.exe)

01:03:07 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59261, Process: services.exe)

01:08:04 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59316, Process: services.exe)

01:13:10 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59335, Process: services.exe)

01:18:08 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59344, Process: services.exe)

01:23:12 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59418, Process: services.exe)

01:28:10 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59425, Process: services.exe)

01:33:16 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59430, Process: services.exe)

01:38:14 turbo IP-BLOCK 91.200.241.49 (Type: outgoing, Port: 59432, Process: services.exe)

I researched it and found this website. So I did the defogger, that didnt work. Nothing is working to stop this outgoing. I am assuming I am still infected. The IP address shows its from china. Ack I dont what else to do.

screen317 · August 3, 2011

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

alili · August 4, 2011

Thank you very much for the welcome and replying. I really appreciate it.

MBAM Scan results :

mbam-log-2011-08-03 (20-29-14).txt

Scan type: Quick scan

Objects scanned: 182537

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

*************************************************************************************************************

DDS notepad:

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by turbo at 20:31:11 on 2011-08-03

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1253 [GMT -4:00]

.

AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\System32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Windows\system32\lxdlcoms.exe

C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\igfxtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\sttray.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\wsqmcons.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6817

mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6817

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6817

mURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File

TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll

TB: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [bigFix] c:\program files\bigfix\bigfix.exe /atstartup

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 10.0.0.1

TCP: Interfaces\{32A02B64-2F9A-4ADC-8CF8-8B6CD1A69B75} : DhcpNameServer = 10.0.0.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\turbo\appdata\roaming\mozilla\firefox\profiles\gsd3b3lh.default\

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-5-10 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-5-10 744568]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110723.001\BHDrvx86.sys [2011-7-22 815736]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110802.030\IDSvix86.sys [2011-8-2 367736]

R1 rqgguej;rqgguej;c:\windows\system32\drivers\rqgguej.sys [2008-9-24 307680]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-5-10 136312]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys [2011-5-10 331384]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-24 21504]

R2 lxdl_device;lxdl_device;c:\windows\system32\lxdlcoms.exe -service --> c:\windows\system32\lxdlcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-28 366640]

R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccsvchst.exe [2011-5-10 130008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-29 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-28 22712]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]

S2 lxdlCATSCustConnectService;lxdlCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdlserv.exe [2007-5-29 99248]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-7-6 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]

S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2011-08-03 06:27:01 -------- d-----w- c:\users\turbo\appdata\local\Mozilla

2011-08-02 05:51:09 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1623f945-2259-451d-9af0-05edb8cc8f34}\mpengine.dll

2011-07-30 15:00:27 -------- d-----w- c:\users\turbo\appdata\local\Adobe

2011-07-30 05:30:12 -------- d-----w- c:\users\turbo\appdata\local\CrashDumps

2011-07-29 15:41:28 -------- d-----w- c:\users\turbo\appdata\roaming\WildTangent

2011-07-28 07:52:33 -------- d-----w- c:\users\turbo\appdata\roaming\Malwarebytes

2011-07-28 07:52:21 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-28 07:52:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-28 07:52:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-28 07:33:34 -------- d-----w- c:\users\turbo\appdata\local\Google

2011-07-27 18:42:05 86528 ----a-w- c:\windows\system32\iesysprep.dll

2011-07-22 23:08:37 -------- d-----w- c:\program files\Western Digital

2011-07-18 13:01:33 -------- d-----w- c:\programdata\Western Digital

2011-07-13 14:33:49 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 14:33:46 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-13 14:33:46 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-07-09 05:03:01 461020 ----a-w- c:\programdata\SPL9701.tmp

2011-07-07 16:08:24 461020 ----a-w- c:\programdata\SPL6641.tmp

2011-07-06 08:55:50 -------- d-----w- c:\windows\en

2011-07-06 08:53:14 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2011-07-06 08:49:11 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-07-06 08:43:06 -------- d-----w- c:\program files\Microsoft

2011-07-06 08:42:52 469256 ----a-w- c:\program files\common files\windows live\.cache\af8b9ef01cc3bb805\InstallManager_WLE_WLE.exe

2011-07-06 08:42:24 15712 ----a-w- c:\program files\common files\windows live\.cache\a0c797701cc3bb804\MeshBetaRemover.exe

2011-07-06 08:42:19 94040 ----a-w- c:\program files\common files\windows live\.cache\9d3326101cc3bb803\DSETUP.dll

2011-07-06 08:42:19 525656 ----a-w- c:\program files\common files\windows live\.cache\9d3326101cc3bb803\DXSETUP.exe

2011-07-06 08:42:19 1691480 ----a-w- c:\program files\common files\windows live\.cache\9d3326101cc3bb803\dsetup32.dll

2011-07-06 08:42:10 94040 ----a-w- c:\program files\common files\windows live\.cache\97a872901cc3bb802\DSETUP.dll

2011-07-06 08:42:10 525656 ----a-w- c:\program files\common files\windows live\.cache\97a872901cc3bb802\DXSETUP.exe

2011-07-06 08:42:10 1691480 ----a-w- c:\program files\common files\windows live\.cache\97a872901cc3bb802\dsetup32.dll

2011-07-06 08:40:46 754688 ----a-w- c:\windows\system32\webservices.dll

.

==================== Find3M ====================

.

2011-06-18 17:28:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-11 02:52:11 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

.

============= FINISH: 20:32:42.13 ===============

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

screen317 · August 5, 2011

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

alili · August 7, 2011

Hi,

I downloaded and ran combofix, thing is, i can't log on to the internet no more from my laptop.

It keeps telling me that internet explorer and firefox registry keys (.exe)are marked for deletion. I think I am going to have burn the logs unto disk.

alili · August 7, 2011

I fixed the combofix nt letting me log on

Combo scan:

ComboFix 11-08-03.03 - turbo 08/07/2011 11:22:51.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1582 [GMT -4:00]

Running from: c:\users\turbo\Desktop\ComboFix.exe

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\SPL5C36.tmp

c:\programdata\SPL6641.tmp

c:\programdata\SPL8256.tmp

c:\programdata\SPL8A0E.tmp

c:\programdata\SPL9701.tmp

c:\programdata\SPLB1FF.tmp

c:\programdata\SPLBDA3.tmp

c:\programdata\SPLF13E.tmp

c:\programdata\Windows

c:\users\Alesha\Documents\~WRL0001.tmp

c:\users\Alesha\Documents\~WRL0002.tmp

c:\windows\security\Database\tmp.edb

c:\windows\System32\drivers\rqgguej.sys

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_rqgguej

-------\Service_rqgguej

.

((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))

.

2011-08-07 15:40 . 2011-08-07 15:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-07 15:40 . 2011-08-07 15:40 -------- d-----w- c:\users\Alesha\AppData\Local\temp

2011-08-05 06:31 . 2011-07-20 13:44 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1FFC025A-918C-4A99-BF46-D17715AAC738}\mpengine.dll

2011-08-01 06:55 . 2011-08-01 06:55 -------- d-----w- c:\users\Guest

2011-07-28 07:52 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-28 07:52 . 2011-07-28 07:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-28 07:52 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-28 07:32 . 2011-07-30 19:21 -------- d-----w- c:\users\turbo

2011-07-28 03:29 . 2011-07-28 03:29 -------- d-----w- c:\users\Alesha\AppData\Local\Windows Live Writer

2011-07-28 03:29 . 2011-07-28 03:29 -------- d-----w- c:\users\Alesha\AppData\Roaming\Windows Live Writer

2011-07-22 23:12 . 2011-07-22 23:12 -------- d-----w- c:\users\Alesha\AppData\Local\Western_Digital

2011-07-22 23:08 . 2011-07-22 23:08 -------- d-----w- c:\program files\Western Digital

2011-07-18 13:01 . 2011-07-30 18:10 -------- d-----w- c:\programdata\Western Digital

2011-07-18 12:46 . 2011-07-22 23:07 -------- d-----w- c:\users\Alesha\AppData\Local\Western Digital

2011-07-13 14:33 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 14:33 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-07-13 14:33 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 08:43 . 2010-06-24 15:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-06-18 17:28 . 2011-05-18 03:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-24 23:14 . 2009-12-18 07:15 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-11 02:52 . 2011-05-11 02:33 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-07-08 07:16 . 2011-08-03 06:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-01-17 20:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-10 39408]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"SigmatelSysTrayApp"="sttray.exe" [2007-01-30 303104]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\windows\SMINST\launcher.exe" [2007-05-04 40072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-18 12:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]

2007-04-03 21:13 638976 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2009-02-26 19:57 173592 ----a-w- c:\windows\System32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2009-06-05 00:03 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2009-02-26 19:57 141848 ----a-w- c:\windows\System32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2009-02-26 19:57 150552 ----a-w- c:\windows\System32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2007-01-30 19:36 303104 ----a-w- c:\windows\sttray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2010-05-10 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2006-11-17 22:58 815104 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 135664]

R2 lxdlCATSCustConnectService;lxdlCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdlserv.exe [2007-05-29 99248]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 135664]

R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-23 691696]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SYMDS.SYS [2011-01-27 340088]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SYMEFA.SYS [2011-03-15 744568]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110723.001\BHDrvx86.sys [2011-07-23 815736]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110805.030\IDSvix86.sys [2011-08-02 367736]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.SYS [2010-11-16 136312]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0501000.01D\SYMTDIV.SYS [2011-03-22 331384]

S2 lxdl_device;lxdl_device;c:\windows\system32\lxdlcoms.exe [2007-05-29 598960]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]

S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-28 105592]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]

S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 22:07]

.

2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 22:07]

.

2010-04-27 c:\windows\Tasks\Install_NSS.job

- c:\program files\Vuze\nssstub.exe [2010-04-24 14:32]

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6817

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

TCP: DhcpNameServer = 10.0.0.1

FF - ProfilePath - c:\users\turbo\AppData\Roaming\Mozilla\Firefox\Profiles\gsd3b3lh.default\

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)

Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)

HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe

SafeBoot-NetBIOS

SafeBoot-rqgguej

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1202844786\ee\AOLSoftware.exe

MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe

MSConfigStartUp-MskAgentexe - c:\program files\McAfee\MSK\MskAgent.exe

MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe

AddRemove-Money2006b - c:\program files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe

AddRemove-SAS System Viewer V8.2 - c:\program files\SAS Institute\SAS System Viewer\SVUninst.isu

AddRemove-Vuze_Remote Toolbar - c:\progra~1\VUZE_R~1\UNINST~1.EXE

AddRemove-WT021682 - c:\program files\Gateway Games\FATE\Uninstall.exe

AddRemove-WT021888 - c:\program files\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe

AddRemove-WT021890 - c:\program files\Gateway Games\Blackhawk Striker 2\Uninstall.exe

AddRemove-WT021892 - c:\program files\Gateway Games\Blasterball 3\Uninstall.exe

AddRemove-WT021896 - c:\program files\Gateway Games\Family Feud 2\Uninstall.exe

AddRemove-WT021900 - c:\program files\Gateway Games\Penguins!\Uninstall.exe

AddRemove-WT021902 - c:\program files\Gateway Games\Polar Bowler\Uninstall.exe

AddRemove-WT021904 - c:\program files\Gateway Games\Polar Golfer\Uninstall.exe

AddRemove-WT026969 - c:\program files\Gateway Games\Burger Island\Uninstall.exe

AddRemove-WT031121 - c:\program files\Gateway Games\Pizza Frenzy\Uninstall.exe

AddRemove-WT036693 - c:\program files\Gateway Games\Jane's Hotel\Uninstall.exe

AddRemove-WT038825 - c:\program files\Gateway Games\Alice Greenfingers\Uninstall.exe

AddRemove-WT039426 - c:\program files\Gateway Games\Coffee Rush\Uninstall.exe

AddRemove-WT044761 - c:\program files\Gateway Games\Cooking Academy\Uninstall.exe

AddRemove-WT044918 - c:\program files\Gateway Games\Belle's Beauty Boutique\Uninstall.exe

AddRemove-WT045732 - c:\program files\Gateway Games\Diner Dash\Uninstall.exe

AddRemove-WT045873 - c:\program files\Gateway Games\Drop em\Uninstall.exe

AddRemove-WT046752 - c:\program files\Gateway Games\Eye for Design\Uninstall.exe

AddRemove-WT046944 - c:\program files\Gateway Games\Jane's Hotel 2\Uninstall.exe

AddRemove-WT046962 - c:\program files\Gateway Games\Little Farm\Uninstall.exe

AddRemove-WT051086 - c:\program files\Gateway Games\Fashion Dash\Uninstall.exe

AddRemove-WT051508 - c:\program files\Gateway Games\Fitness Frenzy\Uninstall.exe

AddRemove-WT051534 - c:\program files\Gateway Games\First Class Flurry\Uninstall.exe

AddRemove-WT053219 - c:\program files\Gateway Games\Jane's Realty\Uninstall.exe

AddRemove-WT054590 - c:\program files\Gateway Games\Cake Mania 3\Uninstall.exe

AddRemove-WT054712 - c:\program files\Gateway Games\Cooking Dash\Uninstall.exe

AddRemove-WT056004 - c:\program files\Gateway Games\Burger Shop\Uninstall.exe

AddRemove-WT056018 - c:\program files\Gateway Games\Dream Day Wedding\Uninstall.exe

AddRemove-WT057301 - c:\program files\Gateway Games\Alice Greenfingers 2\Uninstall.exe

AddRemove-WT057325 - c:\program files\Gateway Games\Hospital Hustle\Uninstall.exe

AddRemove-WT057371 - c:\program files\Gateway Games\Dress Up Rush\Uninstall.exe

AddRemove-WT057381 - c:\program files\Gateway Games\Lavender's Botanicals\Uninstall.exe

AddRemove-WT057474 - c:\program files\Gateway Games\Restaurant Rush\Uninstall.exe

AddRemove-WT057948 - c:\program files\Gateway Games\Ashton's Family Resort\Uninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-07 11:47

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(1660)

c:\windows\system32\ieframe.dll

c:\windows\System32\SyncCenter.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\agrsmsvc.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\DllHost.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\ehome\ehmsas.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2011-08-07 12:04:58 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-07 16:04

.

Pre-Run: 8,075,059,200 bytes free

Post-Run: 8,108,810,240 bytes free

.

- - End Of File - - 1E0CB8CE478A215806488B86519D731D

here is dds 2nd scan:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by turbo at 13:15:31 on 2011-08-07

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1542 [GMT -4:00]

.

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Windows\system32\lxdlcoms.exe

C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\igfxtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\sttray.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe