WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Wireless disabled due to Virus

4 posters

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus10th June 2009, 4:45 pm

more_horiz
This looks fine now. How's the machine running?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 4:37 pm

more_horiz
I still do not access to the internet, any further help would be greatly appreciated. Thank you

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 4:49 pm

more_horiz
Hello.
A new infection has risen over the past 2 days, and now I look back I question your logs again, one file stands out slightly suspicious. We may need to go even deeper using a rootkit scanner.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    ws2_32.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 6:39 pm

more_horiz
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 14:36 on 11/06/2009 by david (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --a--- 82432 bytes [17:55 21/09/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\system32\dllcache\ws2_32.dll --a--- 82944 bytes [22:27 02/06/2009] [15:00 10/08/2004] BCFD249150061F29941893CD0F8FE620
C:\WINDOWS\system32\ws2_32.dll ------ 82944 bytes [15:00 10/08/2004] [15:00 10/08/2004] BCFD249150061F29941893CD0F8FE620

-=End Of File=-

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 6:50 pm

more_horiz
Hello.
This infection you have here is quite new and can be fixed, but you may want to read here first:
http://miekiemoes.blogspot.com/2009/06/searchengine-redirects-it-could-be.html

Before we can replace the file, we need to get Combofix to install the recovery console and do it's run before we can replace the file.

  • Download combofix from here
    Link 1
    Link 2
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (Avira)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Wireless disabled due to Virus - Page 1 Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Wireless disabled due to Virus - Page 1 Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 7:54 pm

more_horiz
I will have to post in two sections.

ComboFix 09-06-11.05 - david 06/11/2009 15:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.593 [GMT -4:00]
Running from: G:\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\amanda\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\amanda\Application Data\twain_32\user.ds
c:\documents and settings\david\Application Data\wiaserva.log
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\kb913800.exe
c:\windows\system32\_000000_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\Temp\19534943.exe
D:\Desktop.ini

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\system volume information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP423\A0026221.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_WIN32X


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-10 16:25 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 16:25 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 16:25 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-10 16:25 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\program files\Avira
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\Sonic
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\PC Tools
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- C:\4304f949750ce894fde4cc20
2009-06-09 11:57 . 2009-06-09 17:19 -------- d-s---w- C:\ComboFix1
2009-06-08 17:11 . 2004-08-10 15:00 4096 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 13:46 . 2009-06-09 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 12:53 . 2009-06-11 19:45 117760 ----a-w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 12:52 . 2009-06-09 17:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 12:52 . 2009-06-08 12:52 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com
2009-06-08 12:51 . 2009-06-08 12:51 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-05 13:43 . 2009-06-05 13:43 -------- d-----w- c:\documents and settings\david\Application Data\MSNInstaller
2009-06-05 00:21 . 2009-06-05 00:21 -------- d-----w- c:\documents and settings\david\Application Data\Leadertech
2009-06-04 23:31 . 2008-06-11 01:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-04 23:31 . 2008-06-02 19:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-04 23:31 . 2008-06-02 19:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-04 23:31 . 2008-06-02 19:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-04 23:30 . 2009-06-09 17:19 -------- d-----w- c:\program files\Spyware Doctor
2009-06-04 14:01 . 2004-05-11 13:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-04 14:01 . 2003-11-19 17:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-04 14:01 . 2000-07-15 09:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-03 14:03 . 2009-06-09 17:18 -------- d-----w- C:\AV-CLS
2009-06-03 13:45 . 2009-06-11 19:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\program files\Enigma Software Group
2009-06-02 22:27 . 2004-08-10 15:00 82944 ----a-w- c:\windows\system32\dllcache\ws2_32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:37 . 2006-08-29 08:20 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-06-10 15:56 . 2006-04-13 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-10 03:27 . 2006-09-20 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-10 03:27 . 2006-09-20 02:38 -------- d-----w- c:\program files\Viewpoint
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-20 02:40 -------- d-----w- c:\documents and settings\david\Application Data\Aim
2009-06-09 17:18 . 2006-09-20 02:38 -------- d-----w- c:\program files\AIM
2009-06-09 17:18 . 2006-10-28 02:45 -------- d-----w- c:\program files\DivX
2009-06-09 17:18 . 2007-08-15 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 18:53 . 2006-04-13 13:56 110416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:35 . 2006-04-13 13:44 -------- d-----w- c:\program files\Quickensetup
2009-06-04 15:35 . 2006-04-13 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 14:29 . 2008-11-04 16:19 -------- d-----w- c:\documents and settings\david\Application Data\GetRightToGo
2009-06-04 13:48 . 2006-04-13 12:47 -------- d-----w- c:\program files\HPQ
2009-06-04 13:47 . 2007-08-06 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-04 11:58 . 2008-12-01 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-04 11:42 . 2007-08-15 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 21:52 . 2006-10-27 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-31 01:41 . 2008-09-29 01:16 -------- d-----w- c:\documents and settings\amanda\Application Data\U3
2006-10-28 03:10 . 2006-10-28 03:10 56 --sh--r- c:\windows\system32\260588ACD5.sys
2006-10-28 03:10 . 2006-10-28 03:10 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-10 15:00 82944 BCFD249150061F29941893CD0F8FE620 c:\windows\system32\ws2_32.dll
[-] 2004-08-10 15:00 82944 BCFD249150061F29941893CD0F8FE620 c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/10/2009 12:25 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/4/2009 7:30 PM 356920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 15:45
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 7:54 pm

more_horiz
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\CF21889.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-11 15:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 19:49

Pre-Run: 31,715,454,976 bytes free
Post-Run: 32,138,301,440 bytes free

434 --- E O F --- 2009-06-04 13:06

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 7:59 pm

more_horiz
Now open a new notepad file.
Input this into the notepad file:

KILLALL::

FCOPY::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\dllcache\ws2_32.dll

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\McAfee


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Wireless disabled due to Virus - Page 1 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 10:04 pm

more_horiz
ComboFix 09-06-11.05 - david 06/11/2009 17:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.512 [GMT -4:00]
Running from: G:\ComboFix.exe
Command switches used :: G:\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\avg8\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avildr.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\history.xml
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000008.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000009.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000010.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000011.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000012.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000013.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000014.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000015.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000016.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000017.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000018.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000019.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000020.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000021.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000022.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000023.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000024.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000025.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000026.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000027.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000028.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000029.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\avg8\update\backup\avi7.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\incavi.avm
c:\documents and settings\All Users\Application Data\avg8\update\backup\microavi.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\miniavi.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat.xcd
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb2.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat.xcd
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Agent.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\catalog.z
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Compiled.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\AUENGINEMETA\AUEngineContentDetection.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\ENCPTCNT6000\EceptCntDet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MASECORE2000\Mase_Det.Mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPEMSBCK1000\MPEMSBCKDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPEPRDCK1000\MPEPRDCKDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPESVRUP1000\MPESVRUPDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPEVIRCK1000\MPEVIRCKDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\PATCHTMP1000\PatchTmpDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\PATCHTMP2000\PatchTmpDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\PUPDAT__1000\PUPDet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\SPAMSAFE1000\SK_det.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8600\VSE850Det.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8700\VSE870Det.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANDAT1000\V2datdet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANENG1000\Engine\0000\engmin.zip
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANENG1000\Engine\0000\V2enginstall.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANENG1000\V2EngDet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DAVE.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DAVE.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_FAMILY.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_FAMILY.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_LAPTOP.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_LAPTOP.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_LAPTOP_backup.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\FrameworkLog.xsl
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_DAVE.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_FAMILY.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_LAPTOP.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\FrameworkManifest.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\InstallMain.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\McScript.bak
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\McScript.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Precompiled.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Server.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\serverDefault.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SiteList.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SiteMapList.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SiteStat.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SrPubKey.bin
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Task\{A14CD6FC-3BA8-4703-87BF-E3247CE382F5}.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Task\TaskInternalData\{A14CD6FC-3BA8-4703-87BF-E3247CE382F5}.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\UpdateHistory.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\UpdateMain.McS

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 10:05 pm

more_horiz
.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-10 16:25 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 16:25 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 16:25 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-10 16:25 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\program files\Avira
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\Sonic
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\PC Tools
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- C:\4304f949750ce894fde4cc20
2009-06-09 11:57 . 2009-06-09 17:19 -------- d-s---w- C:\ComboFix1
2009-06-08 17:11 . 2004-08-10 15:00 4096 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 13:46 . 2009-06-09 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 12:53 . 2009-06-11 21:56 117760 ----a-w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 12:52 . 2009-06-09 17:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 12:52 . 2009-06-08 12:52 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com
2009-06-08 12:51 . 2009-06-08 12:51 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-05 13:43 . 2009-06-05 13:43 -------- d-----w- c:\documents and settings\david\Application Data\MSNInstaller
2009-06-05 00:21 . 2009-06-05 00:21 -------- d-----w- c:\documents and settings\david\Application Data\Leadertech
2009-06-04 23:31 . 2008-06-11 01:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-04 23:31 . 2008-06-02 19:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-04 23:31 . 2008-06-02 19:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-04 23:31 . 2008-06-02 19:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-04 23:30 . 2009-06-09 17:19 -------- d-----w- c:\program files\Spyware Doctor
2009-06-04 14:01 . 2004-05-11 13:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-04 14:01 . 2003-11-19 17:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-04 14:01 . 2000-07-15 09:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-03 14:03 . 2009-06-09 17:18 -------- d-----w- C:\AV-CLS
2009-06-03 13:45 . 2009-06-11 21:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\program files\Enigma Software Group
2009-06-02 22:27 . 2004-08-10 07:00 82944 ----a-w- c:\windows\system32\dllcache\ws2_32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:37 . 2006-08-29 08:20 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-06-10 15:56 . 2006-04-13 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-20 02:40 -------- d-----w- c:\documents and settings\david\Application Data\Aim
2009-06-09 17:18 . 2006-09-20 02:38 -------- d-----w- c:\program files\AIM
2009-06-09 17:18 . 2006-10-28 02:45 -------- d-----w- c:\program files\DivX
2009-06-09 17:18 . 2007-08-15 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 18:53 . 2006-04-13 13:56 110416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:35 . 2006-04-13 13:44 -------- d-----w- c:\program files\Quickensetup
2009-06-04 15:35 . 2006-04-13 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 14:29 . 2008-11-04 16:19 -------- d-----w- c:\documents and settings\david\Application Data\GetRightToGo
2009-06-04 13:48 . 2006-04-13 12:47 -------- d-----w- c:\program files\HPQ
2009-06-04 11:42 . 2007-08-15 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 21:52 . 2006-10-27 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-31 01:41 . 2008-09-29 01:16 -------- d-----w- c:\documents and settings\amanda\Application Data\U3
2006-10-28 03:10 . 2006-10-28 03:10 56 --sh--r- c:\windows\system32\260588ACD5.sys
2006-10-28 03:10 . 2006-10-28 03:10 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/10/2009 12:25 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/4/2009 7:30 PM 356920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 17:56
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h?T??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 10:05 pm

more_horiz
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-06-11 17:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 21:59
ComboFix2.txt 2009-06-11 19:49

Pre-Run: 32,167,411,712 bytes free
Post-Run: 32,143,208,448 bytes free

579 --- E O F --- 2009-06-04 13:06

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus11th June 2009, 10:11 pm

more_horiz
Hello.
Can you get online now? that patched file is replaced now.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 2:08 pm

more_horiz
no network connections are found, my wileless network card is still showing code 39 error.

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 2:14 pm

more_horiz
Okay, re-run the SystemLook script we did, I want to see if there is any changes, I think something has interfered.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 7:57 pm

more_horiz
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 15:55 on 12/06/2009 by david (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll ------ 82432 bytes [17:55 21/09/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\system32\dllcache\ws2_32.dll --a--- 82944 bytes [22:27 02/06/2009] [07:00 10/08/2004] 2ED0B7F12A60F90092081C50FA0EC2B2
C:\WINDOWS\system32\ws2_32.dll --a--- 82944 bytes [15:00 10/08/2004] [07:00 10/08/2004] 2ED0B7F12A60F90092081C50FA0EC2B2

-=End Of File=-

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 8:06 pm

more_horiz
Hello.
I suspect something got in the way here, Windows File Protection (WFP) most likely.

We may need to do this manually. We'll try the CFScript one more time. Run Combofix normally again, no script this time.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 8:51 pm

more_horiz
ComboFix 09-06-07.05 - david 06/12/2009 16:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.615 [GMT -4:00]
Running from: G:\ComboFix1.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-10 16:25 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 16:25 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 16:25 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-10 16:25 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\program files\Avira
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\Sonic
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\PC Tools
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- C:\4304f949750ce894fde4cc20
2009-06-08 17:11 . 2004-08-10 15:00 4096 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 13:46 . 2009-06-09 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 12:53 . 2009-06-12 19:48 117760 ----a-w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 12:52 . 2009-06-09 17:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 12:52 . 2009-06-08 12:52 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com
2009-06-08 12:51 . 2009-06-08 12:51 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-05 13:43 . 2009-06-05 13:43 -------- d-----w- c:\documents and settings\david\Application Data\MSNInstaller
2009-06-05 00:21 . 2009-06-05 00:21 -------- d-----w- c:\documents and settings\david\Application Data\Leadertech
2009-06-04 23:31 . 2008-06-11 01:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-04 23:31 . 2008-06-02 19:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-04 23:31 . 2008-06-02 19:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-04 23:31 . 2008-06-02 19:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-04 23:30 . 2009-06-09 17:19 -------- d-----w- c:\program files\Spyware Doctor
2009-06-04 14:01 . 2004-05-11 13:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-04 14:01 . 2003-11-19 17:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-04 14:01 . 2000-07-15 09:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-03 14:03 . 2009-06-09 17:18 -------- d-----w- C:\AV-CLS
2009-06-03 13:45 . 2009-06-12 19:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\program files\Enigma Software Group
2009-06-02 22:27 . 2004-08-10 07:00 82944 ----a-w- c:\windows\system32\dllcache\ws2_32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:37 . 2006-08-29 08:20 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-06-10 15:56 . 2006-04-13 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-20 02:40 -------- d-----w- c:\documents and settings\david\Application Data\Aim
2009-06-09 17:18 . 2006-09-20 02:38 -------- d-----w- c:\program files\AIM
2009-06-09 17:18 . 2006-10-28 02:45 -------- d-----w- c:\program files\DivX
2009-06-09 17:18 . 2007-08-15 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 18:53 . 2006-04-13 13:56 110416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:35 . 2006-04-13 13:44 -------- d-----w- c:\program files\Quickensetup
2009-06-04 15:35 . 2006-04-13 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 14:29 . 2008-11-04 16:19 -------- d-----w- c:\documents and settings\david\Application Data\GetRightToGo
2009-06-04 13:48 . 2006-04-13 12:47 -------- d-----w- c:\program files\HPQ
2009-06-04 11:42 . 2007-08-15 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 21:52 . 2006-10-27 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-31 01:41 . 2008-09-29 01:16 -------- d-----w- c:\documents and settings\amanda\Application Data\U3
2006-10-28 03:10 . 2006-10-28 03:10 56 --sh--r- c:\windows\system32\260588ACD5.sys
2006-10-28 03:10 . 2006-10-28 03:10 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-11_19.46.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 15:00 . 2004-08-10 07:00 82944 c:\windows\system32\ws2_32.dll
- 2004-08-10 15:00 . 2004-08-10 15:00 82944 c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/10/2009 12:25 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/4/2009 7:30 PM 356920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 8:51 pm

more_horiz
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 16:44
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h????????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 8:52 pm

more_horiz
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
Completion time: 2009-06-12 16:46
ComboFix-quarantined-files.txt 2009-06-12 20:46
ComboFix2.txt 2009-06-11 21:59
ComboFix3.txt 2009-06-11 19:49

Pre-Run: 32,169,111,552 bytes free
Post-Run: 32,145,948,672 bytes free

397 --- E O F --- 2009-06-04 13:06

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 8:54 pm

more_horiz
I was not able to install the recovery consule doe to not having internet access, would this make a difference? Is there a way to install it into another computer, then download it? Thanks Again

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 9:05 pm

more_horiz
Looks like were gonna have to do this manually.


  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Uncheck (untick) Hide extensions for known file types
  9. Click Yes when prompted.
  10. Click OK.
  11. Close My Computer.


Now locate the following file in bold:
C:\WINDOWS\system32\dllcache\ws2_32.dll

Right click it, select RENAME. Now add a .old extension onto the end, so it's now called ws2_32.dll.old

Make sure you rename the one in dllcache before continuing, otherwise the WFP will interfere again.

Now do the same for this file in bold:
C:\WINDOWS\system32\ws2_32.dll

Does a new ws2_32.dll appear next to it?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 10:03 pm

more_horiz
hidden files and folders
6.Uncheck (untick) Hide extensions of known file types.
7.Uncheck (untick) Hide protected operating system files (Recommended).
8.Uncheck (untick) Hide extensions for known file types
where successfully unchecked, just want to point out that 6. and 8. where the same command.

After renaming file: C:\WINDOWS\system32\ws2_32.dll to C:\WINDOWS\system32\ws2_32.dll.old Then performing a new search in folders/files results shows both files present. Both files were still created on 8/10/2004 at 3:00am. the original displays file type: Application extension while the C:\WINDOWS\system32\ws2_32.dll.old file type is Old File. i also renamed C:\WINDOWS\system32\ws2_32.dll.old in dllcache

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 10:11 pm

more_horiz
Hello.
When you renamed the ws2_32.dll in system32, I take your post as another copy appeared right next to it?

If so, what file size does the new copy show? 82944? or 82432?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 10:38 pm

more_horiz
when i changed file names a new copy did not post. I had to search files and folders for original it is size 82,944

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus12th June 2009, 10:41 pm

more_horiz
Okay, you'll need to get a clean copy yourself.

Locate this file in bold:
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll

When you find it, right click, select COPY (DO NOT Cut it).
Then go back to the system32 folder, and paste it in there.

So now in the system32 folder, there should be a ws2_32.dll and ws2_32.dll.old.

Now re-run a search for the same file again using SystemLook. It should find the clean copy back in system32, and the infected .old copy in system32.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 12:24 am

more_horiz
I am attempting to past the file into system32 folder however, it comes up with an error saying "ws2_32: It is being used by another person or program. What program might be blocking the transfer? Can I disable the program? Thanks

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 12:25 am

more_horiz
Try doing it in safe mode. Smile...

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 12:46 am

more_horiz
failed. still the same response, would it make a difference if i have two user accounts on the computer?

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 1:21 am

more_horiz
kind of ran into another problem, i disabled all processes and programs in safe mode, thinking that it would work then, well now in safe mode the only screen that displays is cmd.exe

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 1:26 pm

more_horiz
What exactly did you disable? you've probably caused even more damage now.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 2:20 pm

more_horiz
ok, i have restored the computer to normal operation. is there certain programs that i can disable in safe mode to stop ws2_32.dll from running, while i transfer the file?

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 2:23 pm

more_horiz
I have a new plan.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\dllcache\ws2_32.dll

FCOPY::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\dllcache\ws2_32.dll


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Wireless disabled due to Virus - Page 1 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 2:57 pm

more_horiz
ComboFix 09-06-11.05 - david 06/13/2009 10:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.490 [GMT -4:00]
Running from: G:\ComboFix.exe
Command switches used :: G:\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\dllcache\ws2_32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dllcache\ws2_32.dll

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-10 16:25 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 16:25 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 16:25 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-10 16:25 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\program files\Avira
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\Sonic
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\PC Tools
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- C:\4304f949750ce894fde4cc20
2009-06-08 17:11 . 2004-08-10 15:00 4096 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 13:46 . 2009-06-09 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 12:53 . 2009-06-13 14:44 117760 ----a-w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 12:52 . 2009-06-09 17:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 12:52 . 2009-06-08 12:52 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com
2009-06-08 12:51 . 2009-06-08 12:51 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-05 13:43 . 2009-06-05 13:43 -------- d-----w- c:\documents and settings\david\Application Data\MSNInstaller
2009-06-05 00:21 . 2009-06-05 00:21 -------- d-----w- c:\documents and settings\david\Application Data\Leadertech
2009-06-04 23:31 . 2008-06-11 01:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-04 23:31 . 2008-06-02 19:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-04 23:31 . 2008-06-02 19:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-04 23:31 . 2008-06-02 19:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-04 23:30 . 2009-06-09 17:19 -------- d-----w- c:\program files\Spyware Doctor
2009-06-04 14:01 . 2004-05-11 13:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-04 14:01 . 2003-11-19 17:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-04 14:01 . 2000-07-15 09:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-03 14:03 . 2009-06-09 17:18 -------- d-----w- C:\AV-CLS
2009-06-03 13:45 . 2009-06-13 14:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:37 . 2006-08-29 08:20 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-06-10 15:56 . 2006-04-13 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-20 02:40 -------- d-----w- c:\documents and settings\david\Application Data\Aim
2009-06-09 17:18 . 2006-09-20 02:38 -------- d-----w- c:\program files\AIM
2009-06-09 17:18 . 2006-10-28 02:45 -------- d-----w- c:\program files\DivX
2009-06-09 17:18 . 2007-08-15 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 18:53 . 2006-04-13 13:56 110416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:35 . 2006-04-13 13:44 -------- d-----w- c:\program files\Quickensetup
2009-06-04 15:35 . 2006-04-13 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 14:29 . 2008-11-04 16:19 -------- d-----w- c:\documents and settings\david\Application Data\GetRightToGo
2009-06-04 13:48 . 2006-04-13 12:47 -------- d-----w- c:\program files\HPQ
2009-06-04 11:42 . 2007-08-15 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 21:52 . 2006-10-27 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-31 01:41 . 2008-09-29 01:16 -------- d-----w- c:\documents and settings\amanda\Application Data\U3
2006-10-28 03:10 . 2006-10-28 03:10 56 --sh--r- c:\windows\system32\260588ACD5.sys
2006-10-28 03:10 . 2006-10-28 03:10 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/10/2009 12:25 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/4/2009 7:30 PM 356920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
HKLM-Run-QPService - c:\program files\HP\QuickPlay\QPService.exe
HKLM-Run-eabconfg.cpl - c:\program files\HPQ\Quick Launch Buttons\EabServr.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 10:44
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????L????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 2:57 pm

more_horiz
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\dllhost.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-06-13 10:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 14:47
ComboFix2.txt 2009-06-12 20:46
ComboFix3.txt 2009-06-11 21:59
ComboFix4.txt 2009-06-11 19:49

Pre-Run: 36,355,858,432 bytes free
Post-Run: 36,334,059,520 bytes free

430 --- E O F --- 2009-06-04 13:06

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 3:54 pm

more_horiz
Okay, re-run the SystemLook script, the dllcache copy of it is gone, but then replaced again.
Lets see if that helped any.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 7:51 pm

more_horiz
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 15:50 on 13/06/2009 by david (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\Documents and Settings\david\Desktop\ws2_32.dll --a--- 82432 bytes [00:10 13/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\ws2_32.dll --a--- 82432 bytes [00:05 13/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\Qoobox\Quarantine\C\WINDOWS\system32\ws2_32.dll --a--- 82432 bytes [00:05 13/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll ------ 82432 bytes [17:55 21/09/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\system32\ws2_32.dll --a--- 82944 bytes [15:00 10/08/2004] [07:00 10/08/2004] 2ED0B7F12A60F90092081C50FA0EC2B2

-=End Of File=-

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus13th June 2009, 7:52 pm

more_horiz
Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The log will be quite big, so I need you to upload it to rapidshare.com please.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus14th June 2009, 2:11 am

more_horiz
http://rapidshare.com/files/244283049/gmer.txt.html
MD5: 42356A9CF49AD7FDA68128ECC9082CDE

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus14th June 2009, 6:20 pm

more_horiz
Submit a file for analysis.

  1. Please visit this website: Jotti's Malware Scanner
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\ws2_32.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus14th June 2009, 10:11 pm

more_horiz
Hi,
Is there any scan tool that i can download, i do not have internet access to use an online scan tool?

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus14th June 2009, 10:24 pm

more_horiz
Can you zip a copy of the file and transfer it to another machine with working internet? then unzip it and run the online scan?

Could also try Winsock XP Fix, download and run:
http://www.snapfiles.com/get/winsockxpfix.html

Press fix, then reboot.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 1:53 pm

more_horiz
Jotti's Malware Scanner found no infections.
Winsock XP Fix did not fix the problem. However,

Back to Performing a a new ws2_32.dll manually i had some success. I am able to move the clean file to system32 successfully in safe mode.


SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 09:48 on 15/06/2009 by david (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\I386\SYSTEM32\ws2_32.dll --a--- 82432 bytes [05:09 15/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll ------ 82432 bytes [17:55 21/09/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\system32\ws2_32.dll --a--- 82432 bytes [13:22 15/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A

-=End Of File=-

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 2:01 pm

more_horiz
Hooray! Well done. The patched file is gone, and there's another backup appeared.
Did you run Winsock XP Fix AFTER replacing the bad file? or BEFORE?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 2:35 pm

more_horiz
thank you. Ran Winsock XP Fix Before fixing file. Should I run it again?

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 2:36 pm

more_horiz
Could never have done it without your help.

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 2:46 pm

more_horiz
Yes, because the new file is replaced, so the Winsock will need fixing again.
Run it again, then reboot to make sure it's done it's job.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 4:28 pm

more_horiz
Tried Winsock again but did not give me internet access all network drives still show code 39

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 4:52 pm

more_horiz
Okay, I may need to pass this onto Doc and he'll help you troubleshoot it.
Is it wireless problems?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Wireless disabled due to Virus - Page 1 DXwU4
Wireless disabled due to Virus - Page 1 VvYDg

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus15th June 2009, 6:00 pm

more_horiz
Yes, i can not access the internet through landline or wireless.
Thank you so much for all your help. It is greatly appreciated!

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus16th June 2009, 11:07 pm

more_horiz
Hello,
Any New Ideas?

descriptionWireless disabled due to Virus - Page 1 EmptyRe: Wireless disabled due to Virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum