Exploit.Drop.2

[Flagship]

A friend of mine ran into trouble while he was traveling - all of his shortcuts (files/programs) were deleted and started to experience slow performance and then complete inability to do anything. He took his laptop to another sysadmin type who ran superantispyware free addition and apparently found something. I don't have a copy of the log (not one in the superantispyware folder) from that scan, however he began having similar problems almost immediately. So, he asked for my help and I'm asking for your's.

I got my hands on the laptop this morning and while in safe mode I installed Malwarebytes (free version I downloaded this morning) along with a freshly updated definitions file from my clean pc. I ran a full scan and found 5 instances of Exploit.drop.2 which were cleaned. Log follows my post.

Since the virus has come back from 1 cleaning I'm concerned about remnants that might be hiding somewhere. So, I saw in several threads the next step of running DSS and posting that log so I've done that as well below.

Any help or reassurance you can provide would be appreciated. Thanks.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

11/2/2011 1:23:18 PM

mbam-log-2011-11-02 (13-23-18).txt

Scan type: Full scan (C:\|)

Objects scanned: 401686

Time elapsed: 57 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\Temp\0.5385262250541611.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\0.5589355995342373.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\0.8947217968509884.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\0.642489351629468.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\0.675099983224796.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

DDS LOG:

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 8.0.6001.18702

Run by horationelson at 13:28:44 on 2011-11-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1718 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.live.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [secureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe

mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"

mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"

mRun: [DCPstrApp] c:\program files\dell\dell controlpoint\security manager\SecurityDeviceInfoSetRegistryString.exe

mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [iSTray] "f:\spyware doctor\pctsTray.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

dPolicies-explorer: NoDesktop = 1 (0x1)

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB

DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.2.11:4343/officescan/console/ClientInstall/WinNTChk.cab

DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.2.11:4343/officescan/console/ClientInstall/setup.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://crowsnest/connectcomputer/nshelp.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.4.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236104574609

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

TCP: Interfaces\{0B53D1C9-63EA-4D84-8358-CE0A86F5B472} : NameServer = 192.168.2.11,71.252.0.12

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 wvauth

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-9 130936]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

S0 twemmujm;twemmujm;c:\windows\system32\drivers\mlpe.sys --> c:\windows\system32\drivers\mlpe.sys [?]

S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165648]

S1 MpKsl9b896cc3;MpKsl9b896cc3;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d786f6b-b364-41e4-a2af-670625d2dddc}\MpKsl9b896cc3.sys [2011-10-28 28752]

S1 MpKslb9c75bbe;MpKslb9c75bbe;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{920b0fc7-82ef-44e4-b88c-742f70f51a22}\mpkslb9c75bbe.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{920b0fc7-82ef-44e4-b88c-742f70f51a22}\MpKslb9c75bbe.sys [?]

S1 MpKsle8107e6f;MpKsle8107e6f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91586f63-f654-448b-b5bd-2f0b18dda271}\mpksle8107e6f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91586f63-f654-448b-b5bd-2f0b18dda271}\MpKsle8107e6f.sys [?]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

S2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]

S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]

S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]

S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-11-11 451872]

S2 gupdate1c99d1342aa259a;Google Update Service (gupdate1c99d1342aa259a);c:\program files\google\update\GoogleUpdate.exe [2009-3-4 133104]

S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\hawking\common\RaRegistry.exe [2011-4-16 185632]

S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2011-4-16 19072]

S2 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsauxs.exe --> f:\spyware doctor\pctsAuxs.exe [?]

S2 sdCoreService;PC Tools Security Service;f:\spyware doctor\pctssvc.exe --> f:\spyware doctor\pctsSvc.exe [?]

S2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-10-1 90112]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-23 112128]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]

S3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-2-23 12840]

S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-2-23 32808]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-2-23 244368]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-4 133104]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2009-2-23 148056]

S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-2-23 144672]

S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-2-23 277440]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-4-16 818976]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-11-02 17:24:46 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d786f6b-b364-41e4-a2af-670625d2dddc}\offreg.dll

2011-11-02 16:17:48 -------- d-----w- c:\documents and settings\horationelson.lt-007\application data\Malwarebytes

2011-11-02 16:16:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-02 16:16:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-02 16:16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-31 14:27:11 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d786f6b-b364-41e4-a2af-670625d2dddc}\MpKslf139f049.sys

2011-10-28 11:58:15 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d786f6b-b364-41e4-a2af-670625d2dddc}\MpKsl9b896cc3.sys

2011-10-28 02:22:14 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-10-28 02:22:14 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-10-27 23:07:58 -------- d-----w- C:\NBRT

2011-10-27 22:44:29 -------- d-----w- C:\SERT

2011-10-27 11:42:51 609778 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-27 02:26:55 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d786f6b-b364-41e4-a2af-670625d2dddc}\mpengine.dll

2011-10-27 02:19:20 0 ----a-w- c:\windows\system32\0.9830352149672897.exe

2011-10-27 01:53:09 0 ---ha-w- c:\windows\system32\0.6918356742000344.exe

2011-10-22 17:53:13 -------- d-sh--w- C:\found.000

2011-10-20 16:17:31 9852544 ---ha-w- C:\mbam-setup-1.51.2.1300.exe

2011-10-20 14:13:27 0 ---ha-w- c:\windows\system32\0.20530909894140836.exe

2011-10-20 14:07:56 0 ---ha-w- c:\windows\system32\0.9932985379656548.exe

.

==================== Find3M ====================

.

2011-10-21 19:28:49 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 15:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ---ha-w- c:\windows\system32\crypt32.dll

2011-09-06 13:25:11 1867904 ---ha-w- c:\windows\system32\win32k.sys

2011-08-22 23:48:55 916480 ---ha-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ---ha-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ---ha-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ---ha-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 13:30:55.43 ===============

[negster22]

Hi and Welcome,

I can see some infected items present in your DDS.txt.

What I'd first like you to do is rerun MBAM but do it in NORMAL mode - not safe mode, if possible. Then post that log.

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus (MSE) and antimalware (SuperAntispyware) real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

NOTE: If possible do all downloads on a clean PC and then transfer the troubleshooting program (EXE) to the infected PC.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it iexplore.exe.
    

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers and programs.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  
• If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
  
• If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
  

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste)this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading normally, the Advanced Options Menu should appear;
  
• Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
  
• Choose your usual account, and launch Combofix as directed above.

=============

NOTE: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

[Flagship]

negster22,

Thank you for the reply.

I tried running MBAM twice in normal mode and it errored out after an hour or so each time.

I'm going to go ahead and follow your instructions on running ComboFix.

[Flagship]

negster22,

Here is the ComboFix log, thanks again:

ComboFix 11-11-02.03 - horationelson 11/02/2011 23:40:08.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.159 [GMT -4:00]

Running from: c:\documents and settings\horationelson\Desktop\ComboFix.exe

Command switches used :: /killall

AV: Emsisoft Anti-Malware *Disabled/Outdated* {0F8591BB-342B-4493-91C3-4E948ED21255}

AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\windows\system32\0.20530909894140836.exe

c:\windows\system32\0.6918356742000344.exe

c:\windows\system32\0.9830352149672897.exe

c:\windows\system32\0.9932985379656548.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))

.

.

2011-11-03 04:07 . 2011-11-03 04:07 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\offreg.dll

2011-11-03 03:11 . 2011-11-03 03:11 -------- d-----w- c:\documents and settings\horationelson\Application Data\SUPERAntiSpyware.com

2011-11-03 02:12 . 2011-11-03 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\DellUCM

2011-11-03 01:56 . 2011-11-03 01:56 -------- d-----w- c:\documents and settings\horationelson\Local Settings\Application Data\Apple Computer

2011-11-03 01:55 . 2011-11-03 01:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-03 01:52 . 2011-11-03 01:52 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\MpKsl186a0265.sys

2011-11-02 17:36 . 2011-11-03 04:09 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2011-11-02 16:16 . 2011-11-02 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-02 16:16 . 2011-11-02 16:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-02 16:16 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-02 15:31 . 2011-11-02 15:31 -------- d-----w- c:\documents and settings\horationelson.LT-007

2011-10-31 14:27 . 2011-10-31 14:27 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\MpKslf139f049.sys

2011-10-28 02:22 . 2011-10-28 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-10-28 02:22 . 2011-10-28 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-10-27 23:07 . 2011-10-27 23:08 -------- d-----w- C:\NBRT

2011-10-27 22:44 . 2011-10-27 22:44 -------- d-----w- C:\SERT

2011-10-27 20:59 . 2011-10-27 20:59 -------- d-----w- c:\documents and settings\Don.LT-007\Application Data\Malwarebytes

2011-10-27 11:42 . 2011-11-03 01:58 609778 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-27 02:26 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\mpengine.dll

2011-10-22 17:53 . 2011-10-22 17:53 -------- d-----w- C:\found.000

2011-10-20 16:17 . 2011-10-20 16:18 9852544 ----a-w- C:\mbam-setup-1.51.2.1300.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-03 04:09 . 2009-08-03 14:23 0 ----a-w- c:\documents and settings\horationelson\Local Settings\Application Data\WavXMapDrive.bat

2011-10-21 19:28 . 2011-07-12 14:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-07 03:48 . 2011-08-06 15:34 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2008-04-25 16:16 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"

[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"

[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-01 483420]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-01 471040]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]

"nwiz"="nwiz.exe" [2008-08-28 1630208]

"NVHotkey"="nvHotkey.dll" [2008-08-28 90112]

"NvMediaCenter"="NvMCTray.dll" [2008-08-28 86016]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]

"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-05-30 180224]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 105472]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]

"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 79160]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]

"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]

"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01 1454080]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-28 2220032]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-10-17 442536]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]

"a-squared"="c:\program files\Emsisoft Anti-Malware\a2guard.exe" [2011-11-03 3322256]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]

Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-11-11 950048]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-23 50688]

Hawking Wireless-Utility.lnk - c:\program files\Hawking\Common\HawkingWirelessUtility.exe [2011-4-16 1662976]

VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-11 6144]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2009 5:08 PM 130936]

R1 MpKsl186a0265;MpKsl186a0265;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\MpKsl186a0265.sys [11/2/2011 9:52 PM 28752]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [11/2/2011 1:37 PM 3045688]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 7:56 AM 133968]

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 7:28 PM 406808]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [11/11/2008 6:35 PM 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [11/11/2008 6:35 PM 20840]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [11/11/2008 5:00 PM 451872]

R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [4/16/2011 3:11 PM 19072]

R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [10/1/2008 6:28 AM 90112]

R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [11/2/2011 1:37 PM 51632]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/23/2009 9:32 PM 112128]

R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2/23/2009 8:02 PM 12840]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2/23/2009 9:33 PM 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2/23/2009 9:32 PM 244368]

R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2/23/2009 9:33 PM 148056]

R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2/23/2009 9:33 PM 144672]

R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2/23/2009 9:33 PM 277440]

S0 twemmujm;twemmujm;c:\windows\system32\drivers\mlpe.sys --> c:\windows\system32\drivers\mlpe.sys [?]

S1 MpKsl9b896cc3;MpKsl9b896cc3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\MpKsl9b896cc3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\MpKsl9b896cc3.sys [?]

S1 MpKslb9c75bbe;MpKslb9c75bbe;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920B0FC7-82EF-44E4-B88C-742F70F51A22}\MpKslb9c75bbe.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920B0FC7-82EF-44E4-B88C-742F70F51A22}\MpKslb9c75bbe.sys [?]

S1 MpKsle8107e6f;MpKsle8107e6f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91586F63-F654-448B-B5BD-2F0B18DDA271}\MpKsle8107e6f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91586F63-F654-448B-B5BD-2F0B18DDA271}\MpKsle8107e6f.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate1c99d1342aa259a;Google Update Service (gupdate1c99d1342aa259a);c:\program files\Google\Update\GoogleUpdate.exe [3/4/2009 5:50 PM 133104]

S2 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe --> f:\spyware doctor\pctsAuxs.exe [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/4/2009 5:50 PM 133104]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-04 12:34]

.

2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 21:50]

.

2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 21:50]

.

2011-11-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

2011-11-03 c:\windows\Tasks\User_Feed_Synchronization-{0EF093C0-ACC7-48BE-838D-814E029F59FF}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://companyweb

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{0B53D1C9-63EA-4D84-8358-CE0A86F5B472}: NameServer = 192.168.2.11,71.252.0.12

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-ISTray - f:\spyware doctor\pctsTray.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-03 00:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1336)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

- - - - - - - > 'lsass.exe'(1396)

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(1604)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll

c:\windows\system32\btmmhook.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\drivers\audio\r205445\stacsv.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Hawking\Common\RaRegistry.exe

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\windows\system32\rundll32.exe

c:\windows\system32\RunDLL32.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\DellTPad\Apntex.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-11-03 00:17:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-03 04:17

.

Pre-Run: 101,125,693,440 bytes free

Post-Run: 102,335,000,576 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 617DA4E86AE5BFF1C15EC59BEE519B7E

[negster22]

ow we have to run Combofix again to get rid of your infection :

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt by using the File -> "Save as" function on the Notepad Menu.

KillAll::

DirLook::
C:\NBRT
C:\SERT

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

Driver::
twemmujm

Rootkit::
c:\windows\system32\0.9830352149672897.exe
c:\windows\system32\0.6918356742000344.exe
c:\windows\system32\0.20530909894140836.exe
c:\windows\system32\0.9932985379656548.exe
c:\windows\system32\drivers\mlpe.sys

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

Referring to the picture above, drag CFScript.txt into renamed ComboFix.exe on your desktop

This will cause ComboFix to run again.

If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above.

If ComboFix prompts you to:

• Update to a newer version, make sure you allow it to update.
  
• Upload infected files for analysis, please allow it to do so.

Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it).

Please download RKill to your desktop from the following link.

http://www.bleepingcomputer.com/download/anti-virus/rkill

When at the download page, click on the Download Now button and save to your desktop whatever renamed version of the file that you can get to run on the infected PC.

Once it is downloaded, double-click on the rkill.exe icon (or whatever the "working" name is of the EXE you downloaded) in order to automatically attempt to stop any processes associated with Rogue programs.

Do NOT reboot!!

Download Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Now try to run MBAM again in normal mode.

Please post the requested logs and let me know how things went.

[Flagship]

Here is the ComboFix log:

ComboFix 11-11-03.05 - horationelson 11/04/2011 0:09.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.305 [GMT -4:00]

Running from: c:\documents and settings\horationelson\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\horationelson\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_twemmujm

.

.

((((((((((((((((((((((((( Files Created from 2011-10-04 to 2011-11-04 )))))))))))))))))))))))))))))))

.

.

2011-11-04 04:30 . 2011-11-04 04:30 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2D87F5F-9880-4018-A679-A9AD9E5B5D00}\offreg.dll

2011-11-04 03:57 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2D87F5F-9880-4018-A679-A9AD9E5B5D00}\mpengine.dll

2011-11-03 03:11 . 2011-11-03 03:11 -------- d-----w- c:\documents and settings\horationelson\Application Data\SUPERAntiSpyware.com

2011-11-03 02:12 . 2011-11-03 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\DellUCM

2011-11-03 01:56 . 2011-11-03 01:56 -------- d-----w- c:\documents and settings\horationelson\Local Settings\Application Data\Apple Computer

2011-11-03 01:55 . 2011-11-03 01:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-02 16:16 . 2011-11-02 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-02 16:16 . 2011-11-02 16:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-02 16:16 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-02 15:31 . 2011-11-02 15:31 -------- d-----w- c:\documents and settings\horationelson.LT-007

2011-10-28 02:22 . 2011-10-28 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-10-28 02:22 . 2011-10-28 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-10-27 23:07 . 2011-10-27 23:08 -------- d-----w- C:\NBRT

2011-10-27 22:44 . 2011-10-27 22:44 -------- d-----w- C:\SERT

2011-10-27 20:59 . 2011-10-27 20:59 -------- d-----w- c:\documents and settings\Don.LT-007\Application Data\Malwarebytes

2011-10-22 17:53 . 2011-10-22 17:53 -------- d-----w- C:\found.000

2011-10-20 16:17 . 2011-10-20 16:18 9852544 ----a-w- C:\mbam-setup-1.51.2.1300.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-04 04:32 . 2009-08-03 14:23 0 ----a-w- c:\documents and settings\horationelson\Local Settings\Application Data\WavXMapDrive.bat

2011-10-21 19:28 . 2011-07-12 14:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-07 03:48 . 2011-08-06 15:34 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2008-04-25 16:16 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\NBRT ----

.

2011-10-28 00:12 . 2011-10-28 00:31 2072 ----a-w- c:\nbrt\VirusDef\20111026.004\vscanmsx.dat

2011-10-27 23:08 . 2011-10-27 23:08 30 ----a-w- c:\nbrt\VirusDef\usage.dat

2011-10-27 23:08 . 2011-10-27 23:08 0 ----a-w- c:\nbrt\VirusDef\newdefs-trigger\trigger.dat

2011-10-27 23:08 . 2011-10-27 23:08 34 ----a-w- c:\nbrt\VirusDef\definfo.dat

2011-10-27 23:08 . 2011-10-27 21:59 224 ----a-w- c:\nbrt\VirusDef\20111026.004\zdone.dat

2011-10-27 23:08 . 2011-10-27 21:59 41379 ----a-w- c:\nbrt\VirusDef\20111026.004\whatsnew.TXT

2011-10-27 23:08 . 2011-10-27 21:59 32 ----a-w- c:\nbrt\VirusDef\20111026.004\virscant.dat

2011-10-27 23:08 . 2011-10-27 21:59 6410151 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan9.dat

2011-10-27 23:08 . 2011-10-27 21:59 1009960 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan8.dat

2011-10-27 23:08 . 2011-10-27 21:59 398711 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan6.dat

2011-10-27 23:08 . 2011-10-27 21:59 196883146 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan7.dat

2011-10-27 23:08 . 2011-10-27 21:59 574068 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan2.dat

2011-10-27 23:08 . 2011-10-27 21:59 157916 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan3.dat

2011-10-27 23:08 . 2011-10-27 21:59 320391 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan4.dat

2011-10-27 23:08 . 2011-10-27 21:59 16185581 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan5.dat

2011-10-27 23:08 . 2011-10-27 21:59 3934 ----a-w- c:\nbrt\VirusDef\20111026.004\tscan1hd.dat

2011-10-27 23:08 . 2011-10-27 21:59 5257 ----a-w- c:\nbrt\VirusDef\20111026.004\v.grd

2011-10-27 23:08 . 2011-10-27 21:59 2609 ----a-w- c:\nbrt\VirusDef\20111026.004\v.sig

2011-10-27 23:08 . 2011-10-27 21:59 106244 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan.inf

2011-10-27 23:08 . 2011-10-27 21:59 1061529 ----a-w- c:\nbrt\VirusDef\20111026.004\virscan1.dat

2011-10-27 23:08 . 2011-10-27 21:59 178189 ----a-w- c:\nbrt\VirusDef\20111026.004\tcscan8.dat

2011-10-27 23:08 . 2011-10-27 21:59 652942 ----a-w- c:\nbrt\VirusDef\20111026.004\tcscan9.dat

2011-10-27 23:08 . 2011-10-27 21:59 875 ----a-w- c:\nbrt\VirusDef\20111026.004\technote.txt

2011-10-27 23:08 . 2011-10-27 21:59 453 ----a-w- c:\nbrt\VirusDef\20111026.004\tinf.dat

2011-10-27 23:08 . 2011-10-27 21:59 148 ----a-w- c:\nbrt\VirusDef\20111026.004\tinfidx.dat

2011-10-27 23:08 . 2011-10-27 21:59 1957 ----a-w- c:\nbrt\VirusDef\20111026.004\tinfl.dat

2011-10-27 23:08 . 2011-10-27 21:59 74646 ----a-w- c:\nbrt\VirusDef\20111026.004\tscan1.dat

2011-10-27 23:08 . 2011-10-27 21:59 22991018 ----a-w- c:\nbrt\VirusDef\20111026.004\tcscan7.dat

2011-10-27 23:08 . 2011-10-27 21:59 581 ----a-w- c:\nbrt\VirusDef\20111026.004\SymErase.inf

2011-10-27 23:08 . 2011-10-27 21:59 22921321 ----a-w- c:\nbrt\VirusDef\20111026.004\tcdefs.dat

2011-10-27 23:08 . 2011-10-27 21:59 8737 ----a-w- c:\nbrt\VirusDef\20111026.004\symaveng.cat

2011-10-27 23:08 . 2011-10-27 21:59 1063 ----a-w- c:\nbrt\VirusDef\20111026.004\symaveng.inf

2011-10-27 23:08 . 2011-10-27 21:59 72 ----a-w- c:\nbrt\VirusDef\20111026.004\SymErase.cat

2011-10-27 23:08 . 2011-10-27 21:59 6536 ----a-w- c:\nbrt\VirusDef\20111026.004\ncsacert.txt

2011-10-27 23:08 . 2011-10-27 21:59 98112 ----a-w- c:\nbrt\VirusDef\20111026.004\scrauth.dat

2011-10-27 23:08 . 2011-10-27 21:59 1934704 ----a-w- c:\nbrt\VirusDef\20111026.004\navex32a.dll

2011-10-27 23:08 . 2011-10-27 21:59 9595 ----a-w- c:\nbrt\VirusDef\20111026.004\hh

2011-10-27 23:08 . 2011-10-27 21:59 86136 ----a-w- c:\nbrt\VirusDef\20111026.004\naveng.sys

2011-10-27 23:08 . 2011-10-27 21:59 177520 ----a-w- c:\nbrt\VirusDef\20111026.004\naveng32.dll

2011-10-27 23:08 . 2011-10-27 21:59 1576312 ----a-w- c:\nbrt\VirusDef\20111026.004\navex15.sys

2011-10-27 23:08 . 2011-10-27 21:59 2604 ----a-w- c:\nbrt\VirusDef\20111026.004\ERASER.sig

2011-10-27 23:08 . 2011-10-27 21:59 3960 ----a-w- c:\nbrt\VirusDef\20111026.004\ERASER.spm

2011-10-27 23:08 . 2011-10-27 21:59 106104 ----a-w- c:\nbrt\VirusDef\20111026.004\eraser.sys

2011-10-27 23:08 . 2011-10-27 21:59 7130300 ----a-w- c:\nbrt\VirusDef\20111026.004\esrdef.bin

2011-10-27 23:08 . 2011-10-27 21:59 374392 ----a-w- c:\nbrt\VirusDef\20111026.004\eeCtrl.sys

2011-10-27 23:08 . 2011-10-27 21:59 232 ----a-w- c:\nbrt\VirusDef\20111026.004\ERASER.grd

2011-10-27 23:08 . 2011-10-27 21:59 758 ----a-w- c:\nbrt\VirusDef\20111026.004\cur.scr

2011-10-27 23:08 . 2011-10-27 21:59 279992 ----a-w- c:\nbrt\VirusDef\20111026.004\ecmsvr32.dll

2011-10-27 23:08 . 2011-10-27 21:59 3412 ----a-w- c:\nbrt\VirusDef\20111026.004\catalog.dat

2011-10-27 23:08 . 2011-10-27 21:59 2828408 ----a-w- c:\nbrt\VirusDef\20111026.004\cceraser.dll

.

---- Directory of C:\SERT ----

.

.

.

((((((((((((((((((((((((((((( SnapShot@2011-11-03_04.10.40 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-11-04 04:30 . 2011-11-04 04:30 16384 c:\windows\Temp\Perflib_Perfdata_93c.dat

+ 2008-04-25 16:16 . 2011-11-04 04:35 89272 c:\windows\system32\perfc009.dat

- 2008-04-25 16:16 . 2011-11-03 04:12 89272 c:\windows\system32\perfc009.dat

+ 2011-11-04 03:48 . 2011-11-04 04:00 1706 c:\windows\SoftwareDistribution\EventCache\{1CCCCCD6-1DB4-42D7-8CEE-F0EB02FCAB2C}.bin

+ 2008-04-25 16:16 . 2011-11-04 04:35 508442 c:\windows\system32\perfh009.dat

- 2008-04-25 16:16 . 2011-11-03 04:12 508442 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"

[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"

[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-01 483420]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-01 471040]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]

"nwiz"="nwiz.exe" [2008-08-28 1630208]

"NVHotkey"="nvHotkey.dll" [2008-08-28 90112]

"NvMediaCenter"="NvMCTray.dll" [2008-08-28 86016]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]

"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-05-30 180224]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 105472]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]

"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 79160]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]

"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]

"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01 1454080]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-28 2220032]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-10-17 442536]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]

Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-11-11 950048]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-23 50688]

Hawking Wireless-Utility.lnk - c:\program files\Hawking\Common\HawkingWirelessUtility.exe [2011-4-16 1662976]

VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-11 6144]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2009 5:08 PM 130936]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 7:56 AM 133968]

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 7:28 PM 406808]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [11/11/2008 6:35 PM 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [11/11/2008 6:35 PM 20840]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [11/11/2008 5:00 PM 451872]

R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [4/16/2011 3:11 PM 19072]

R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [10/1/2008 6:28 AM 90112]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/23/2009 9:32 PM 112128]

R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2/23/2009 8:02 PM 12840]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2/23/2009 9:33 PM 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2/23/2009 9:32 PM 244368]

R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2/23/2009 9:33 PM 148056]

R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2/23/2009 9:33 PM 144672]

R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2/23/2009 9:33 PM 277440]

S1 MpKsl9b896cc3;MpKsl9b896cc3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\MpKsl9b896cc3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D786F6B-B364-41E4-A2AF-670625D2DDDC}\MpKsl9b896cc3.sys [?]

S1 MpKslb9c75bbe;MpKslb9c75bbe;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920B0FC7-82EF-44E4-B88C-742F70F51A22}\MpKslb9c75bbe.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920B0FC7-82EF-44E4-B88C-742F70F51A22}\MpKslb9c75bbe.sys [?]

S1 MpKsle8107e6f;MpKsle8107e6f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91586F63-F654-448B-B5BD-2F0B18DDA271}\MpKsle8107e6f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91586F63-F654-448B-B5BD-2F0B18DDA271}\MpKsle8107e6f.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate1c99d1342aa259a;Google Update Service (gupdate1c99d1342aa259a);c:\program files\Google\Update\GoogleUpdate.exe [3/4/2009 5:50 PM 133104]

S2 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe --> f:\spyware doctor\pctsAuxs.exe [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/4/2009 5:50 PM 133104]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-04 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-04 12:34]

.

2011-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 21:50]

.

2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 21:50]

.

2011-11-04 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

2011-11-04 c:\windows\Tasks\User_Feed_Synchronization-{0EF093C0-ACC7-48BE-838D-814E029F59FF}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://companyweb

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{0B53D1C9-63EA-4D84-8358-CE0A86F5B472}: NameServer = 192.168.2.11,71.252.0.12

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-04 00:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1336)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

- - - - - - - > 'lsass.exe'(1400)

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(4988)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll

c:\windows\system32\btmmhook.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\drivers\audio\r205445\stacsv.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Hawking\Common\RaRegistry.exe

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\program files\DellTPad\ApMsgFwd.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\RunDLL32.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\DellTPad\Apntex.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-11-04 00:40:40 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-04 04:40

ComboFix2.txt 2011-11-03 04:18

.

Pre-Run: 102,057,861,120 bytes free

Post-Run: 102,222,876,672 bytes free

.

- - End Of File - - CD18D82545A101351787A94F832372DC

[Flagship]

and MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8081

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/4/2011 2:44:33 AM

mbam-log-2011-11-04 (02-44-33).txt

Scan type: Full scan (C:\|)

Objects scanned: 394939

Time elapsed: 1 hour(s), 43 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thank you!!

[negster22]

Thank you for posting all the logs the two folders I was concerned about that I had Combofix reveal the contents of belong to two legitimate Symantec troubleshooting programs:

C:\SERT is the Symantec Endpoint Recovery Tool folder

C:\NBRT is the Norton Bootable Recovery Tool folder

Combofix removed the same items that MBAM did, plus a malicious driver, and the subsequent MBAM scan is clean.

Can you please tell me if the computer is running OK now or are you still having residual problems?

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Approve the installation of the ActiveX control that's required to enable scanning
  
• Make sure the box to
  • Remove found threats. is CHECKED!!
    
  • Click "Start"
    

  [*]Allow the definition data base to install

  [*]Click "Scan"

When the scan is done:

• Do NOT choose the option to uninstall the ESET Online Scanner with all its components because you need to retain the scan log for posting.
  
• Please post the scan report in your next reply. It can be found in this location:
  C:\Program Files\EsetOnlineScanner\log.txt
  
• You can remove the ESET Online Scanner using the Windows Control Panel - Add/Remove Programs feature

Important: Do NOT choose the option to automatically uninstall or the ESET Scan log will be deleted!!

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!