Malwarebytes won't run

Hi,

It seems like an awful virus is on my computer which is preventing me from running malwarebytes. I think it isthe antiviruspro2009. I have tried some of the suggestions posted here, like changing the name of the malware.exe file, but nothing is working. If anyone could offer any help, it would be greatly appreciated. I know some people have posted logs from their computers - I am happy to do so, but I am not sure how to. If anyone can offer step by step instructions on how to resolve this issue, that would be great.

Hello,

Please post your HijackThis log here.

http://www.geekpolice.net/-t3821.htm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:30, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Documents and Settings\All Users\Application Data\17778254\17778254.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nidhi c\Desktop\winlogon.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.nytimes.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [17778254] C:\Documents and Settings\All Users\Application Data\17778254\17778254.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PowerMgr] "C:\WINDOWS\system32\Rundll32.exe" "C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\tmp128.tmp",Init
O4 - HKCU\..\Run: [ColdWare] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\g.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\b.exe
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [PowerMgr] "C:\WINDOWS\system32\Rundll32.exe" "C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\tmp128.tmp",Init (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [ColdWare] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\g.exe (User '?')
O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [Cognac] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\b.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - https://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173634924548
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

--
End of file - 11330 bytes

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
  O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
  O4 - HKLM\..\Run: [17778254] C:\Documents and Settings\All Users\Application Data\17778254\17778254.exe
  O4 - HKCU\..\Run: [PowerMgr] "C:\WINDOWS\system32\Rundll32.exe" "C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\tmp128.tmp",Init
  O4 - HKCU\..\Run: [ColdWare] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\g.exe
  O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\b.exe
  O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [ColdWare] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\g.exe (User '?')
  O4 - HKUS\S-1-5-21-2847293362-1000436004-2561748972-1006\..\Run: [Cognac] C:\DOCUME~1\NIDHIC~1\LOCALS~1\Temp\b.exe (User '?')
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Hello,

Thank you for your response. Unfortunately, the virus is preventing me from opening any application. When I click on Spybot, I get the hour glass for a few seconds and then nothing happens. The same things happens whenever I try to run Malwarebytes. I couldn't even open the notepad to read the HijackThis results. I had to email it to another computer and open it there. My Oulook won't open. The only thing that is running on my infected laptop is Internet Explore. I can't open Firefox.

The virus has taken over the background of my computer. Instead of showing the photo that I use as my wallpaper there is a message is that says "Warning! You're in Danger? Your computer is infected with spyware!" It goes on and talks about how someone is trying to steal everything on my computer.

Is there any other way to disable Spybot without actually opening it?

Thanks - I appreciate your help!

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (mcafee)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Hello,

I downloaded Combofix. I am unable to disable McAfee because I cannot access my systems tray. It is preventing me from running Combofix. Do you have any idea about how I can disable McAfee when I can't get to my systems tray? I also have a few other anti-virus tools on my laptop - Spybot, Windows Defender, etc. Do all of these have to be disabled to run Combofix?

Thanks.

Hello.
No, the other tools will be closed when Combofix runs, because Combofix kills are un-needed processes apart from those Windows needs to run.

Uninstall Mcafee, then run Combofix.

Hello,

I tried to uninstall McAfee but was unable to. When I click on "Add or Remove Programs", nothing happens. Other things in my Control Panel will open, but not "Add or Remove Programs." Is there any other way to uninstall McAfee?

Thanks!

Yes there is a removal tool just for Mcafee here:

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

I used the removal tool for McAfee. I still cannot run Combo Fix. When I double click on it, Combo Fix runs for about half a second and then shuts down. There is something else that is blocking it from running.

Did you rename it as Combo-Fix?

Yes, I did. I saved it to my Desktop. It is a small red icon that is now labelled "Combo-Fix"

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-16 20:36:47
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
Code 86D2D0B8 ZwEnumerateKey
Code 86D39708 ZwFlushInstructionCache
Code 86D2BE96 IofCallDriver
Code 86D2A9E6 IofCompleteRequest
Code 86D39765 ZwSaveKey
Code 86D399B5 ZwSaveKeyEx
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 86D3976A
.text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 86D399BA
.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86D2BE9B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 86D2A9EB
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 86D2D0BC
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 86D3970C
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 01026C30 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 01029830 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!ReadFile 7C801812 5 Bytes JMP 01026DA0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01026170 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 01029460 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 01027720 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!OpenFileMappingW 7C80BB7A 5 Bytes JMP 01029710 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!DuplicateHandle 7C80DE9E 5 Bytes JMP 01029310 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 01028F50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindClose 7C80EE77 5 Bytes JMP 01029070 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 01028E50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindNextFileW 7C80EFDA 5 Bytes JMP 01029150 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010266C0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileSize 7C810B17 5 Bytes JMP 010274A0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetFilePointer 7C810C2E 5 Bytes JMP 01027350 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 01027020 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileType 7C810EF1 5 Bytes JMP 01027AB0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 01027790 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileAttributesA 7C8115DC 5 Bytes JMP 010276A0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FlushFileBuffers 7C8126E1 5 Bytes JMP 010272D0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 01028D50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 010282F0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01027C50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 01027E60 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileTime 7C831C4D 5 Bytes JMP 01027890 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetFileTime 7C831CC0 5 Bytes JMP 010279A0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 01028920 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 01028A60 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetEndOfFile 7C832076 2 Bytes JMP 01027580 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetEndOfFile + 3 7C832079 2 Bytes [7F, 84] {JG 0xffffffffffffff86}
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!UnlockFile 7C8322EC 5 Bytes JMP 01027BC0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!LockFile 7C832391 5 Bytes JMP 01027B30 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 010290E0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!_hread 7C8353FE 5 Bytes JMP 01028BA0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!_llseek 7C835436 5 Bytes JMP 01028CC0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!

Part 1

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-16 20:36:47
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
Code 86D2D0B8 ZwEnumerateKey
Code 86D39708 ZwFlushInstructionCache
Code 86D2BE96 IofCallDriver
Code 86D2A9E6 IofCompleteRequest
Code 86D39765 ZwSaveKey
Code 86D399B5 ZwSaveKeyEx
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 86D3976A
.text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 86D399BA
.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86D2BE9B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 86D2A9EB
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 86D2D0BC
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 86D3970C
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 01026C30 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 01029830 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\spoolsv.exe[216] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!ReadFile 7C801812 5 Bytes JMP 01026DA0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01026170 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 01029460 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 01027720 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!OpenFileMappingW 7C80BB7A 5 Bytes JMP 01029710 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!DuplicateHandle 7C80DE9E 5 Bytes JMP 01029310 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 01028F50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindClose 7C80EE77 5 Bytes JMP 01029070 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 01028E50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindNextFileW 7C80EFDA 5 Bytes JMP 01029150 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010266C0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileSize 7C810B17 5 Bytes JMP 010274A0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetFilePointer 7C810C2E 5 Bytes JMP 01027350 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 01027020 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileType 7C810EF1 5 Bytes JMP 01027AB0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 01027790 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileAttributesA 7C8115DC 5 Bytes JMP 010276A0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FlushFileBuffers 7C8126E1 5 Bytes JMP 010272D0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 01028D50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 010282F0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01027C50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 01027E60 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetFileTime 7C831C4D 5 Bytes JMP 01027890 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetFileTime 7C831CC0 5 Bytes JMP 010279A0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 01028920 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 01028A60 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetEndOfFile 7C832076 2 Bytes JMP 01027580 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!SetEndOfFile + 3 7C832079 2

Part 2:

Bytes [7F, 84] {JG 0xffffffffffffff86}
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!UnlockFile 7C8322EC 5 Bytes JMP 01027BC0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!LockFile 7C832391 5 Bytes JMP 01027B30 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 010290E0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!_hread 7C8353FE 5 Bytes JMP 01028BA0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!_llseek 7C835436 5 Bytes JMP 01028CC0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 01028570 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!GetShortPathNameA 7C835BE0 5 Bytes JMP 010291C0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01028070 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!ReplaceFile 7C836C6C 5 Bytes JMP 01028800 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] kernel32.dll!_hwrite 7C838B17 5 Bytes JMP 01028C30 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 010254A0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 01024F40 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 010252E0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 010250E0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 01024A20 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 01024C00 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!CopyEnhMetaFileW 77F270CC 5 Bytes JMP 01025F60 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!CopyMetaFileW 77F2C3ED 5 Bytes JMP 01025D50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!CopyMetaFileA 77F2C52B 5 Bytes JMP 010258C0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!GetMetaFileW 77F3853D 5 Bytes JMP 01025AD0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!GetEnhMetaFileW 77F397A3 5 Bytes JMP 01025C10 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!GetMetaFileA 77F44216 5 Bytes JMP 01025640 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 0102AA60 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!StartDocA 77F45E79 5 Bytes JMP 0102A990 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] GDI32.dll!GetEnhMetaFileA 77F4AE35 5 Bytes JMP 01025780 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 01025420 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 01024DE0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 01024ED0 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] USER32.dll!PrintWindow 7E423810 5 Bytes JMP 01025570 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 01024E50 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\spoolsv.exe[216] ole32.dll!DoDragDrop 775D0B6D 5 Bytes JMP 01029930 C:\Program Files\SealedMedia\sealnt.dll (SealedMedia Library/SealedMedia)
.text C:\WINDOWS\system32\winlogon.exe[812] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\winlogon.exe[812] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\services.exe[860] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\services.exe[860] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\lsass.exe[872] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\lsass.exe[872] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 007D000A
.text C:\WINDOWS\Explorer.EXE[1516] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CB000A
.text C:\WINDOWS\Explorer.EXE[1516] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CC000A
.text C:\WINDOWS\system32\ctfmon.exe[1600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\ctfmon.exe[1600] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BC000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!DialogBoxParamW

Part 3:


7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10011DE0
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10011C20
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011C00
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10011BE0
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] WININET.dll!HttpAddRequestHeadersA 7805FB4D 5 Bytes JMP 00FC000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1680] WININET.dll!HttpAddRequestHeadersW 780CD14D 5 Bytes JMP 010D000A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[1984] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[1984] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AB000A
.text C:\Documents and Settings\All Users\Application Data\17778254\17778254.exe[3016] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009C000A
.text C:\Documents and Settings\All Users\Application Data\17778254\17778254.exe[3016] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\wuauclt.exe[3552] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\wuauclt.exe[3552] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 007B000A
.text C:\Documents and Settings\Nidhi c\Local Settings\Temporary Internet Files\Content.IE5\6VATOP8U\8nvff554[1].exe[4036] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A9000A
.text C:\Documents and Settings\Nidhi c\Local Settings\Temporary Internet Files\Content.IE5\6VATOP8U\8nvff554[1].exe[4036] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AA000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [336] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [672] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1060] 0x032C0000
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1144] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1228] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1516] 0x00DB0000
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1744] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACuxcomttscjscjmoop.dll (*** hidden *** ) @

Part 4:

C:\WINDOWS\system32\svchost.exe [1872] 0x00AC0000
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----

Part 4:

C:\WINDOWS\system32\svchost.exe [1872] 0x00AC0000
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----

Please download GMER's MBR.exe to your desktop.
Double click on the MBR.exe to run it. A log will be produced, named MBR.log.
Please open this log in Notepad and post it's contents in your next reply.

Below is the log - it isn't very long.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
BIOS signateure not found

We are going to have to run Combo-Fix in Safe Mode with Networking, please do the following:

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Once in Safe mode with Networking, run Combo-Fix.

ComboFix 09-07-19.02 - Nidhi c 07/19/2009 17:30:25.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.646 [GMT -4:00]
Running from: C:\Documents and Settings\Nidhi c\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\17778254
C:\DOCUME~1\ALLUSE~1\APPLIC~1\17778254\17778254
C:\DOCUME~1\ALLUSE~1\APPLIC~1\17778254\17778254.exe
C:\WINDOWS\Install.txt
C:\WINDOWS\Installer\14b300.msi
C:\WINDOWS\Installer\14b306.msi
C:\WINDOWS\Installer\14b30c.msi
C:\WINDOWS\Installer\48db3.msp
C:\WINDOWS\Installer\c63d56.msp
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\Agent.OMZ.Fix.exe
C:\WINDOWS\system32\certstore.dat
C:\WINDOWS\system32\drivers\UACbotgenalmpixmkhbo.sys
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\net.net
C:\WINDOWS\system32\o4Patch.exe
C:\WINDOWS\system32\pcmstub.sys
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tpsaxyd.exe
C:\WINDOWS\system32\UACbhxgppjejtxbieqhw.dll
C:\WINDOWS\system32\UACbvlkkyijtsvoreuiu.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UAClsbiqmntakyydowqf.dll
C:\WINDOWS\system32\UACsequdnebxvjuvdpiq.db
C:\WINDOWS\system32\UACsowywkmkhljyuyjou.dat
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\UACuxcomttscjscjmoop.dll
C:\WINDOWS\system32\UACyrultpmgomwhlqfnv.dll
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\wiawow32.sys
C:\WINDOWS\system32\wiwow64.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6TO4
-------\Legacy_MSNCACHE
-------\Legacy_PCMSTUB
-------\Legacy_SOPIDKC
-------\Service_6to4
-------\Service_pcmstub


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

Hello you cut off the log, please post all the log, if you forgot where you saved the log it should be somewhere in your C:\ drive.

ComboFix 09-07-22.01 - Nidhi c 07/22/2009 23:48.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.652 [GMT -4:00]
Running from: c:\documents and settings\Nidhi c\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1341985594
C:\gfub.exe
C:\p2hhr.bat
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465752.dat
c:\windows\freddy49.exe
c:\windows\Installer\33b3e.msi
c:\windows\Installer\b4c0c.msi
c:\windows\ld12.exe
c:\windows\system32\drivers\geyekrkltofrft.sys
c:\windows\system32\geyekrbfrsipxd.dat
c:\windows\system32\geyekrewbvpibo.dll
c:\windows\system32\geyekrulhrklos.dll
c:\windows\system32\geyekrvnbosthx.dat
c:\windows\system32\ghaf8jkdfd.dll
c:\windows\system32\wbem\proquota.exe
.
---- Previous Run -------
.
c:\docume~1\ALLUSE~1\APPLIC~1\17778254\17778254
c:\docume~1\ALLUSE~1\APPLIC~1\17778254\17778254.exe
c:\windows\Install.txt
c:\windows\Installer\14b300.msi
c:\windows\Installer\14b306.msi
c:\windows\Installer\14b30c.msi
c:\windows\Installer\48db3.msp
c:\windows\Installer\c63d56.msp
c:\windows\msa.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\UACbotgenalmpixmkhbo.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.txt
c:\windows\system32\net.net
c:\windows\system32\o4Patch.exe
c:\windows\system32\pcmstub.sys
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\UACbhxgppjejtxbieqhw.dll
c:\windows\system32\UACbvlkkyijtsvoreuiu.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClsbiqmntakyydowqf.dll
c:\windows\system32\UACsequdnebxvjuvdpiq.db
c:\windows\system32\UACsowywkmkhljyuyjou.dat
c:\windows\system32\uactmp.db
c:\windows\system32\UACuxcomttscjscjmoop.dll
c:\windows\system32\UACyrultpmgomwhlqfnv.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\system32\WS2Fix.exe
c:\windows\wiaserviv.log

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6TO4
-------\Legacy_MSNCACHE
-------\Legacy_PCMSTUB
-------\Legacy_SOPIDKC
-------\Service_6to4
-------\Service_pcmstub


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 03:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-23 03:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-22 03:18 . 2009-07-22 03:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-22 03:18 . 2009-07-22 03:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2009-07-22 03:13 . 2009-07-22 03:13 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-22 03:12 . 2009-07-23 00:09 -------- d-----w- c:\program files\McAfee
2009-07-22 03:12 . 2009-07-22 03:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-19 23:02 . 2009-07-19 23:02 1 ---h--w- c:\windows\bf23567.dat
2009-07-19 21:58 . 2009-07-19 21:58 69845 ----a-w- C:\vphih.exe
2009-07-19 21:53 . 2009-07-19 21:58 22016 ----a-w- C:\fhlyeby.exe
2009-07-19 21:53 . 2009-07-19 21:58 11264 ----a-w- C:\benfuse.exe
2009-07-19 21:53 . 2009-07-19 21:58 39936 ----a-w- C:\sitkrb.exe
2009-07-03 18:07 . 2009-07-03 18:07 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 03:12 . 2008-12-15 13:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-19 21:58 . 2006-04-11 02:08 -------- d-----w- c:\program files\Google
2009-07-11 05:30 . 2008-11-02 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-03 05:18 . 2009-07-03 05:18 65536 ----a-w- c:\windows\system32\12D.tmp
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-11-02 05:13 . 2008-11-02 05:13 17509 ----a-w- c:\program files\Common Files\ogoku.bat
2008-11-02 05:13 . 2008-11-02 05:13 10781 ----a-w- c:\program files\Common Files\vaxux.ban
2009-07-23 02:31 . 2009-02-06 03:08 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2005-08-09 13:18 . 2005-07-27 19:16 56 --sh--r- c:\windows\system32\8DBC359ACF.sys
2005-08-09 13:18 . 2005-07-27 19:16 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2006-06-20 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2008-02-01 198184]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 139320]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-11-08 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-11-08 696320]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-13 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-02 20:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [4/5/2006 10:52 AM 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 11:13 PM 210216]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [3/30/2008 11:51 AM 202280]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6449166C-2951-4105-B1A9-481F56B5DAFA}]
c:\windows\UMBS\IPPRIN~1.0\PerUser.exe /S
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-net - c:\windows\system32\net.net
HKLM-Run-17778254 - c:\documents and settings\All Users\Application Data\17778254\17778254.exe
HKLM-Run-sysfbtray - c:\windows\freddy49.exe


.
------- Supplementary Scan -------
.
uStart Page = www.nytimes.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\docume~1\NIDHIC~1\APPLIC~1\Mozilla\Firefox\Profiles\1f1uect8.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Nidhi c\Application Data\Mozilla\Firefox\Profiles\1f1uect8.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 23:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-07-23 23:58
ComboFix-quarantined-files.txt 2009-07-23 03:58

Pre-Run: 42,233,901,056 bytes free
Post-Run: 42,216,038,400 bytes free

224 --- E O F --- 2009-07-23 00:35

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\bf23567.dat
C:\vphih.exe
C:\fhlyeby.exe
C:\benfuse.exe
C:\sitkrb.exe
c:\windows\system32\12D.tmp
c:\windows\system32\8DBC359ACF.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-07-23.04 - Nidhi c 07/24/2009 18:42.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.346 [GMT -4:00]
Running from: c:\documents and settings\Nidhi c\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Nidhi c\Desktop\CFScript.txt

FILE ::
"C:\benfuse.exe"
"C:\fhlyeby.exe"
"C:\sitkrb.exe"
"C:\vphih.exe"
"c:\windows\bf23567.dat"
"c:\windows\system32\12D.tmp"
"c:\windows\system32\8DBC359ACF.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\benfuse.exe
C:\fhlyeby.exe
C:\sitkrb.exe
C:\vphih.exe
c:\windows\bf23567.dat
c:\windows\run.log
c:\windows\system32\12D.tmp
c:\windows\system32\8DBC359ACF.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-23 03:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-23 03:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-22 03:18 . 2009-07-24 01:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-22 03:18 . 2009-07-22 03:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-07-22 03:18 . 2009-07-22 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-22 03:13 . 2009-07-22 03:13 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-22 03:12 . 2009-07-23 00:09 -------- d-----w- c:\program files\McAfee
2009-07-22 03:12 . 2009-07-22 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-21 03:03 . 2009-07-21 03:03 1915520 ----a-w- c:\documents and settings\Nidhi c\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-03 18:07 . 2009-07-03 18:07 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 03:12 . 2008-12-15 13:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-19 21:58 . 2006-04-11 02:08 -------- d-----w- c:\program files\Google
2009-07-11 05:30 . 2008-11-02 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-11-02 05:13 . 2008-11-02 05:13 17509 ----a-w- c:\program files\Common Files\ogoku.bat
2008-11-02 05:13 . 2008-11-02 05:13 10781 ----a-w- c:\program files\Common Files\vaxux.ban
2009-07-23 02:31 . 2009-02-06 03:08 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2005-08-09 13:18 . 2005-07-27 19:16 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2006-06-20 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2008-02-01 198184]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 139320]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-11-08 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-11-08 696320]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"net"="c:\windows\system32\net.net" [BU]
"17778254"="c:\documents and settings\All Users\Application Data\17778254\17778254.exe" [BU]
"sysfbtray"="c:\windows\freddy49.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-13 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-02 20:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [4/5/2006 10:52 AM 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 11:13 PM 210216]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [3/30/2008 11:51 AM 202280]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6449166C-2951-4105-B1A9-481F56B5DAFA}]
c:\windows\UMBS\IPPRIN~1.0\PerUser.exe /S
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.nytimes.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Nidhi c\Application Data\Mozilla\Firefox\Profiles\1f1uect8.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Nidhi c\Application Data\Mozilla\Firefox\Profiles\1f1uect8.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 18:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(1516)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-24 18:52
ComboFix-quarantined-files.txt 2009-07-24 22:51
ComboFix2.txt 2009-07-23 03:58

Pre-Run: 42,198,609,920 bytes free
Post-Run: 42,169,200,640 bytes free

177 --- E O F --- 2009-07-24 01:37

Hello.
The malware is back.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
AOLIcon
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom Management Programs
CardRd81
CCScore
ComcastSUPPORT
Conexant D480 MDC V.9x Modem
CR2
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support Center (Support Software)
DellConnect
DellSupport
Digital Line Detect
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PROSet/Wireless Software
Internet Explorer Default Page
iPod for Windows 2005-03-23
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
kgcbase
Kodak EasyShare software
Learn2 Player (Uninstall Only)
LimeWire 4.18.8
Macromedia Flash Player
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
MobileMe Control Panel
Modem Helper
Morpheus 5.0 (remove only)
Mozilla Firefox (3.0.12)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
My Way Search Assistant
mZConfig
netbrdg
NetWaiting
OfotoXMI
OpenOffice.org Installer 1.0
Outlook Download
Photo Click
PowerDVD 5.5
Qualxserve Service Agreement
QuickTime
RealPlayer Basic
Road Runner Medic 6.1
Safari
SealedMedia Unsealer 5.1.5.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SFR
SFR2
SHASTA
skin0001
SKINXSDK
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
staticcr
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx20 drivers.
tooltips
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
VPRINTOL
WebEx
Winamp (remove only)
Windows Defender
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinZip
WIRELESS

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Adobe Reader 7.0.9
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LimeWire 4.18.8
My Way Search Assistant
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Viewpoint Media Player

Please download GMER's MBR.exe to your desktop.
Double click on the MBR.exe to run it. A log will be produced, named MBR.log.
Please open this log in Notepad and post it's contents in your next reply.

Hello,

I removed all of the programs. When I tried to run MBR.exe, it ran for a second and then stopped. No log was produced. I think the malware is stopping it from running. Is there another step I can take in its place?

Thanks.

Rename mbr.exe to something else and see if it will run.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Okay, this looks good now.

Thanks so much for all of your help. Your organization is fantastic!

I seem to have another infection - already. I added all of the security suggestions you made, but something is already infected. Here is my hijackthis post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:40, on 7/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nidhi c\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.nytimes.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [17778254] C:\Documents and Settings\All Users\Application Data\17778254\17778254.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - https://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173634924548
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

--
End of file - 12442 bytes

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
  O4 - HKLM\..\Run: [17778254] C:\Documents and Settings\All Users\Application Data\17778254\17778254.exe
  O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
  O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Hello, Thanks for your post. I disabled Teatimer and re-ran Hijackthis. The 4 things you suggested I uncheck were not listed. Should I just proceed with running the Anti-Malware application?

Yes.

Malwarebytes' Anti-Malware 1.44
Database version: 3586
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/17/2010 11:22:50 PM
mbam-log-2010-01-17 (23-22-50).txt

Scan type: Quick Scan
Objects scanned: 112544
Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 10
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) -> Delete on reboot.
C:\WINDOWS\system32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6IA3ARJN\dfghfghgfj[1].dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RQ4MUDNC\SetupIS2010[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nidhi c\Local Settings\Temporary Internet Files\Content.IE5\0USK4YDJ\load[1].php (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nidhi c\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nidhi c\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nidhi c\My Documents\downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

I ran the Anti-Malware software last night and everything seemed fine. Today, my desktop is bright white (it normally has an image on it) and says "Active Desktop Recovery." There is a button that says "Activate my Desktop Recovery" - should I click on the button? It looks like a legit message from Microsoft, but I am not sure if it is another virus.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 10-01-19.03 - Nidhi c 01/19/2010 22:22:47.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.561 [GMT -5:00]
Running from: c:\documents and settings\Nidhi c\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nidhi c\Desktop\Internet Security 2010.lnk
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-18 22:25 . 2010-01-20 01:54 -------- d-----w- c:\documents and settings\HelpAssistant
2010-01-08 03:08 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-08 02:57 . 2010-01-08 02:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-08 02:56 . 2010-01-08 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-07 02:34 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 03:13 . 2010-01-05 03:14 -------- d-----w- C:\Combo-Fix8039C
2010-01-04 02:10 . 2010-01-04 02:10 -------- d-----w- C:\_OTM
2010-01-03 16:29 . 2010-01-03 16:55 -------- d-----w- C:\Combo-Fix23451C
2009-12-31 01:34 . 2009-12-31 01:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 04:06 . 2008-11-02 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 18:42 . 2006-04-05 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-17 18:39 . 2006-04-05 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-16 04:17 . 2008-12-15 13:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 16:12 . 2009-10-02 20:57 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 05:37 . 2009-07-22 03:12 -------- d-----w- c:\program files\McAfee
2010-01-09 03:27 . 2009-07-22 03:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-08 02:56 . 2006-04-05 14:16 -------- d-----w- c:\program files\Lavasoft
2010-01-07 21:07 . 2008-11-02 06:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-02 06:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 23:13 . 2009-11-28 23:11 -------- d-----w- c:\program files\iTunes
2009-11-28 23:11 . 2005-09-02 20:21 -------- d-----w- c:\program files\iPod
2009-11-28 23:11 . 2007-07-03 22:43 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 23:05 . 2009-11-28 23:04 -------- d-----w- c:\program files\QuickTime
2009-10-29 07:45 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll
2005-08-09 13:18 . 2005-07-27 19:16 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2006-06-20 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2008-02-01 198184]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 139320]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-11-08 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-11-08 696320]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-13 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-02 20:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/7/2010 10:08 PM 64288]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [4/5/2006 9:52 AM 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 1:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 10:13 PM 93320]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [3/30/2008 10:51 AM 202280]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6449166C-2951-4105-B1A9-481F56B5DAFA}]
2005-08-10 15:44 123020 ----a-w- c:\windows\UMBS\IPPRIN~1.0\PerUser.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:05]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:05]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:05]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:05]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:05]

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-01-20 c:\windows\Tasks\User_Feed_Synchronization-{C12182BD-70E0-4FEE-B33F-1DEFE59B9847}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.nytimes.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Nidhi c\Application Data\Mozilla\Firefox\Profiles\1f1uect8.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Nidhi c\Application Data\Mozilla\Firefox\Profiles\1f1uect8.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Nidhi c\My Documents\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 22:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-19 23:04:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-20 04:04
ComboFix2.txt 2010-01-03 16:55

Pre-Run: 35,778,961,408 bytes free
Post-Run: 35,766,370,304 bytes free

- - End Of File - - 33126D1C974E32A7E1647C739637F37F

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Ugh. It was working for last night. I started the computer up today and I am back to the white background that says "Active Desktop Recovery." My wallpaper has disappeared. Should I re-run the Combo Fix?

No, is there a button that says repair Desktop or something? I think I remember something like that a little while ago.

Yes, there is a button that says "Active Desktop Recovery" on it. I wasn't sure if it was legit message (or another virus), so I haven't clicked on it. Should I go ahead and click on it?

Yes.