Police Pro block EVERYthing

Hi.
OK,so i have tried many things to rid my laptop of this PolicePro virus,
Bascially I cant use any programs except Internet Explorer, and even then, it directs me to the wrong sites...totally useless. I have tried malwarebytes but, as with every .exe i get the "open with...?" window. If i can figure out what to run a program with,it then tells me I do not have permission or it can not find the program or ........!
I have used task mgr to end the svchast.exe and deleted the police pro file.....even found a program (OTM by oldtimer) that helped medelete some lines registry or %windir? files?idk? but its no use. Totally Blocked up!

Cubster

Please delete this file in red:
C:\Windows\system32\desot.exe

Next, download this file.

Download it to your Desktop.
Double click it to run it; select yes to the registry merge prompt.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Ok,
Thanks!!
desot.exe was already deleted/isolated from my own prior attempts...I went ahead and followed your instructions (I had to copy/paste via cdrom fromanother pc) and here's what I got:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:39 on 03/09/2009 by Cubby (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\i386\scecli.dll --a--c 180224 bytes [12:02 30/08/2006] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [14:00 29/08/2008] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll -----c 181248 bytes [10:55 28/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [10:00 04/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\i386\netlogon.dll --a--c 407040 bytes [11:59 30/08/2006] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [14:01 29/08/2008] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -----c 407040 bytes [10:54 28/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [10:00 04/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--c 55808 bytes [11:58 30/08/2006] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [14:01 29/08/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -----c 56320 bytes [10:52 28/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 62464 bytes [10:00 04/08/2004] [00:11 14/04/2008] (Unable to calculate MD5)

-=End Of File=-

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Belahzur,
Got to the final step and my computer went crazy with virus warnings and blocked any ability to access the avenger.txt file
I shut down and restarted....no use. I tried to access the file and even rerun avenger, but nothing will open or work properly.
"applications can not be executed.The file is infected.....
Task manager is gonetoo.

Hello.
Delete the avenger, and re-download it.
It should work once you have a fresh copy.

I can not download,delete or execute programs.
I tried to reinstall the avenger,but it was blocked "the file is infected...please activate your antivirus software"

Are you able to run SystemLook? if you are, use the same script and post the new log.

Belahzur,
I can not run the program. I am able to access this thread on IE and save the app to my desktop, but I cant launch the exe.

I was able to drag and drop the OLD systemlook/txt file to IE and copy past it into this forum....

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:39 on 03/09/2009 by Cubby (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\i386\scecli.dll --a--c 180224 bytes [12:02 30/08/2006] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [14:00 29/08/2008] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll -----c 181248 bytes [10:55 28/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [10:00 04/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\i386\netlogon.dll --a--c 407040 bytes [11:59 30/08/2006] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [14:01 29/08/2008] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -----c 407040 bytes [10:54 28/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [10:00 04/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--c 55808 bytes [11:58 30/08/2006] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [14:01 29/08/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -----c 56320 bytes [10:52 28/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 62464 bytes [10:00 04/08/2004] [00:11 14/04/2008] (Unable to calculate MD5)

-=End Of File=-

Hello.
Download this file:
http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe

Place it next to SystemLook, but DON'T run it.

Now drag and drop SystemLook onto inherit.exe and let it run.
See if you can run SystemLook now.

It took a few tries....maybe downloading systemlook again and restarting before drag/drop to inherit was the trick...? Not giving the virus time to open full seemd to help...also several "Spybot - Search and Destroy" popup windows came up asking if I want to kill processes like "pc_antispyware2010.exe" and "winupdate.exe". I did not touch anything...just posted the txt file below.



SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:50 on 08/09/2009 by Cubby (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\i386\scecli.dll --a--c 180224 bytes [12:02 30/08/2006] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [14:00 29/08/2008] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll -----c 181248 bytes [10:55 28/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [10:00 04/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\i386\netlogon.dll --a--c 407040 bytes [11:59 30/08/2006] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [14:01 29/08/2008] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -----c 407040 bytes [10:54 28/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [10:00 04/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--c 55808 bytes [11:58 30/08/2006] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [14:01 29/08/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -----c 56320 bytes [10:52 28/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

-=End Of File=-

Hello.
See if you can run this version of Hijack This now.
http://www.sendspace.com/pro/dl/fpzz64

i can run it, but need to know settings / which way to run the program...there are several options!

Run a system scan with logfile.

Sorry about that, I'm run of my feet today.

Thanks for all your help so far....here's the file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:52 PM, on 9/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\cubby.MACDONALDWOOD\Desktop\SystemLook.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Skylook\skylook.exe
C:\Program Files\Skylook\callwindow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\cubby.MACDONALDWOOD\Local Settings\Temporary Internet Files\Content.IE5\LZDEDNMW\winlogon[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {ecfc4506-fcc3-4507-b2c1-27e4129eff84} - C:\WINDOWS\system32\rewuvafu.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: MediaBar - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMeshMediabarTb\iMeshMediaBarDx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\Run: [19785314] C:\Documents and Settings\All Users\Application Data\19785314\19785314.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide
O4 - HKLM\..\Run: [zuvinesiza] Rundll32.exe "C:\WINDOWS\system32\zodatibo.dll",s
O4 - HKLM\..\Run: [domezudim] Rundll32.exe "c:\windows\system32\sodimafe.dll",a
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [minix32] C:\WINDOWS\system32\minix32.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: PUFLITE - http://cubbyfitts.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158085892421
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - https://www.facebook.com/controls/contactx.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.kw.com/websiteTemplateAdmin/include/imageUploader/ImageUploader4.cab
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sothebysrealty.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MACDONALDWOOD.INT
O17 - HKLM\Software\..\Telephony: DomainName = MACDONALDWOOD.INT
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MACDONALDWOOD.INT
O20 - AppInit_DLLs: cru629.dat
O21 - SSODL: gumudifuz - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll
O22 - SharedTaskScheduler: kupuhivus - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 1: Microsoft Investor Active Desktop Ticker - http://www.microsoft.com/windows/ie/gallery/components/ticker.htm

--
End of file - 14172 bytes

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
  F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  O2 - BHO: (no name) - {ecfc4506-fcc3-4507-b2c1-27e4129eff84} - C:\WINDOWS\system32\rewuvafu.dll
  O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
  O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
  O4 - HKLM\..\Run: [19785314] C:\Documents and Settings\All Users\Application Data\19785314\19785314.exe
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide
  O4 - HKLM\..\Run: [zuvinesiza] Rundll32.exe "C:\WINDOWS\system32\zodatibo.dll",s
  O4 - HKLM\..\Run: [domezudim] Rundll32.exe "c:\windows\system32\sodimafe.dll",a
  O4 - HKLM\..\Run: [braviax] braviax.exe
  O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
  O4 - HKCU\..\Run: [minix32] C:\WINDOWS\system32\minix32.exe
  O20 - AppInit_DLLs: cru629.dat
  O21 - SSODL: gumudifuz - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll
  O22 - SharedTaskScheduler: kupuhivus - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Ok...a couple problems. I could not run S&D so I manually deleted all related files.
Ran Hijackthis as requested but 2 lines are missing/changed:
O21 - SSODL: gumudifuz - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll
O22 - SharedTaskScheduler: kupuhivus - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll

are now

O21 - SSODL: mapuralir- {many omitted numbers...} - c:\windows\system32\todorulo.dll
O22 - SharedTaskScheduler: tokatiluy- {many numbers...} - c:\windows\system32\todorulo.dll

Before I diverge any further from your instruction....what should I do

I got the windows police pro virus on my computer. About three weeks ago I got windows antivirus pro virus and got rid of it using your procedure, but I cant get the malware program to work with the Police Pro. If i hurry and get the two functions stopped with Task Mgr I end up with a bunch of error boxes. I can eliminate these one at a time. When I try and use the mal orogram-nothing happens when I click on it. The only way I can get the Malware program to open up is by going to Task Mgr and File and select new task and then select the Malware program set up. The wizard starts up and I can get all the way to quick scan and I think I am Home, but in about 6 seconds it goes blank. At this time the program is no longer listed as running. I am not a expert on the computer, and dont know how to get into the manual inputs which I would probably screw up so I was hoping this program would work. As I said before I used it once on the windows antiviurus pro and it worked like a charm.Would this program clear every thing up if you paid the ransom, or is this just a trick to get your credit card data? Any help would be appreciated.

Ok...a couple problems. I could not run S&D so I manually deleted all related files.
Ran Hijackthis as requested but 2 lines are missing/changed:
O21 - SSODL: gumudifuz - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll
O22 - SharedTaskScheduler: kupuhivus - {56d78258-d118-4a1e-b39e-10755c177863} - c:\windows\system32\sodimafe.dll

are now

O21 - SSODL: mapuralir- {many omitted numbers...} - c:\windows\system32\todorulo.dll
O22 - SharedTaskScheduler: tokatiluy- {many numbers...} - c:\windows\system32\todorulo.dll

Before I diverge any further from your instruction....what should I do

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Can not run Combofix at all.
Did not hear back from you about hijackthis above

Hello.
Sorry about not posting anything about the Hijack This. I saw your post and decided to throw Combofix into it and see what would happen.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Spybot Search & Destroy

Re-scan with Hijack This. If any of the weird looking lines you already know of return/changed, try fixing them again.

Fix this line also:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

I was able to run hijackthis, check boxes, etc
I was not able to download mbam from your prior link , so I used an old icon on my desktop mbam-setup.exe...everything went ok, but could not execute auto update to the latest version...ran anyway, deleted many files and rebooted. Here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/11/2009 8:51:17 PM
mbam-log-2009-09-11 (20-51-17).txt

Scan type: Quick Scan
Objects scanned: 119404
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 11
Registry Data Items Infected: 16
Folders Infected: 10
Files Infected: 73

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\yogeresi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mobeteda.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{598a4e69-2c4f-42e9-88a8-1646dd962ac1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\domezudim (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{598a4e69-2c4f-42e9-88a8-1646dd962ac1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\huruhegat (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\REGSVR.EXE (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\cru629.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\cru629.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Quarantine (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Registry Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Documents and Settings\cubby.MACDONALDWOOD\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\yogeresi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\fyblb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1823468856-3774011236-2554016227-1605\Dc85\windows Police Pro.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\DataBaseNew.ref (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Log\2007 Jul 07 - 09_55_26 AM_609.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Log\2007 Jul 07 - 09_55_26 AM_765.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Log\2007 Jul 07 - 09_55_30 AM_187.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Log\2007 Jul 07 - 09_55_30 AM_250.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Log\2007 Jul 07 - 09_55_52 AM_281.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Log\2007 Jul 07 - 09_55_52 AM_296.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Settings\ScanResults.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy63.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Local Settings\Temporary Internet Files\owoherocil.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ld14.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\REGSVR.EXE (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSGMAN32.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rojisabo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\peyeduli.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\feyiloto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fivipute.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pihuwali.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\mobeteda.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fayebuzu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\todorulo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Adware.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Hello, your Malwarebytes database is out of date,please update Malwarebytes and do another quick scan and once done please post the results back here.

IE will not let me access Malwarebytes.org
Downloaded it from to disk and pasted the mbam-setup on the desktop.
Again, it did not connect and perform update instead giving me an error message 732 (0, 0).

Hello.
Can you run Combofix now?

I was unable to run combo fix. a little timer came up but nothing after that. Rebooted a couple times and left for dinner....
after a short intermission without any sign of police pro, I am literally back to square one with the whole block and warning show. arrrrrggg! Tried going back to hijack this but its totally blocked.

Are you getting desot.exe error/black cmd window?

No. It does not seem to have gone back that far.
Basically, there is a "program" that keepsrunning called "Total Security" and little Windows popups saying xyz is infected and can not be executed.

Can you run/update MBAM?

Can not run or update. I can download from your previous link, but it wont let me run the program from my desktop.

Hello.

Please download Ice Sword from HERE

Extract it, open the folder, then start the program.
Can you run this?

I was able to unzip and access the exe file. I had to move it to my desktop to open it (access was blocked in its destination file)...so yes it seems i have access...i noticed another zip file w/in called Cooperator. I unziped this after lauching Icesword. Not sure what to do now...

Hello.
Leave the cooperator, don't need that here.

1. Open IceSword again.
   
2. Then look in the left hand bottom of the program and press "Registry"
   
3. When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
   
4. Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   
5. Now look in the right side pane for the run values, can you tell me what is listed?
   

I see 11 entries. Here are the Names/Types (all REG_SZ except KernalFaultCheck which is REG_EXPAND_SZ). Let me know if you need the Data column values

(Default)
12243284
ccApp
Dell QuickSet
DLBTCATS
domezudim
KernelFaultCheck
Malwaresbytes Anti-Malware (reboot)
QuickTime Task
Symantic PIF AlertEng
zuvinesiza

Hello.

Select the following by right clicking and press "delete"

12243284
domezudim
zuvinesiza

Reboot the machine.
Can you run MBAM after reboot?

YES!
I ran MBAM. Here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2812
Windows 5.1.2600 Service Pack 3

9/16/2009 1:17:45 PM
mbam-log-2009-09-16 (13-17-45).txt

Scan type: Quick Scan
Objects scanned: 123675
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 3
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\dibiyowa.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\lamisefi.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\jihozutu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tarozahi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yaruzesa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tftp.msc (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6c9ffc2b-36ba-4bc7-ae7f-e0d630dd57a2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f8b43f82-aedd-416f-96e2-1d01f80d429e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1faa175-7eb3-41fd-9af9-a00290e0b154} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\domezudim (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6c9ffc2b-36ba-4bc7-ae7f-e0d630dd57a2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gakofitot (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{f8b43f82-aedd-416f-96e2-1d01f80d429e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wifehomod (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{e1faa175-7eb3-41fd-9af9-a00290e0b154} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hobafubok (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuvinesiza (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tftp.msc beforegllav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\12243284 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\jihozutu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\dibiyowa.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\lamisefi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tarozahi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yaruzesa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tftp.msc (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\dipimozi.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kedohugu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\keyisori.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pahupotu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sewinuja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jifipanu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\risowupa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hebedogu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hetuyevo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\17.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12243284\12243284 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12243284\12243284.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12243284\pc12243284ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vuranune.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\cubby.MACDONALDWOOD\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-09-16.01 - Cubby 09/16/2009 19:42.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.660 [GMT -4:00]
Running from: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\Combo-Fix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\cijyqo.reg
c:\documents and settings\All Users\Application Data\hafocy.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\woriwa.bat
c:\documents and settings\All Users\Documents\giquqisoz.reg
c:\documents and settings\All Users\Documents\mypuwiki.sys
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\pysupowi.bin
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\sunaciryxi.lib
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\uheputakyj.lib
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\xurejor.pif
c:\documents and settings\cubby.MACDONALDWOOD\Cookies\lymopecy.scr
c:\documents and settings\cubby.MACDONALDWOOD\Cookies\netud.bin
c:\documents and settings\cubby.MACDONALDWOOD\Cookies\unubew.scr
c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\ohuvewux.pif
c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Temporary Internet Files\iziri._dl
C:\p2hhr.bat
c:\program files\Common Files\ebopasu.ban
c:\program files\Common Files\vaxuwa.dl
c:\windows\anenave._dl
c:\windows\fymexej.inf
c:\windows\Installer\134c3c3.msi
c:\windows\Installer\435118.msp
c:\windows\Installer\6bbfd10.msp
c:\windows\Installer\b155f4f.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\numabuh.dl
c:\windows\system\oeminfo.ini
c:\windows\system32\bemadoko.dll
c:\windows\system32\cobyx.scr
c:\windows\system32\drivers\gasfkyoymrssra.sys
c:\windows\system32\efanuxyk.sys
c:\windows\system32\FAXFORM.DLL
c:\windows\system32\fosowefe.dll
c:\windows\system32\gasfkyadpxrmlt.dat
c:\windows\system32\gasfkybscbnrpv.dll
c:\windows\system32\gasfkyivbljvdn.dll
c:\windows\system32\gasfkyoirqnejx.dll
c:\windows\system32\gasfkyyqbphxus.dat
c:\windows\system32\gehufidu.dll
c:\windows\system32\hetirika.dll
c:\windows\system32\kowoziza.dll
c:\windows\system32\koyahune.exe
c:\windows\system32\lavogana.dll
c:\windows\system32\legidonu.dll
c:\windows\system32\NCTAudioInformation2.dll
c:\windows\system32\numitopi.dll
c:\windows\system32\ropogeko.dll
c:\windows\system32\tarozahi.dll
c:\windows\system32\twain.dll
c:\windows\system32\vasidifu.dll
c:\windows\system32\wevetora.dll
c:\windows\system32\yaruzesa.dll
c:\windows\system32\yimipivu.dll
c:\windows\system32\yugovuji.dll
c:\windows\system32\yxizubi.bin
c:\windows\system32\zip32.dll
c:\windows\visor.exe
c:\windows\vuhem.dl
c:\windows\xurywam.exe

----- BITS: Possible infected sites -----

hxxp://82.98.231.97
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyepxgsnvd
-------\Legacy_gasfkyepxgsnvd
-------\Legacy_NWCWORKSTATION
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_NWCWorkstation
-------\Service_SfX


((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-16 17:14 . 2009-09-16 17:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-13 00:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 00:07 . 2009-09-16 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 00:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 15:26 . 2009-09-11 15:26 1 ---h--w- c:\windows\bk23567.dat
2009-09-04 21:11 . 2009-09-04 21:11 18533 ----a-w- c:\windows\ozebe.dat
2009-09-01 18:37 . 2009-09-01 18:37 -------- d-----w- C:\_OTM
2009-09-01 15:53 . 2009-09-01 18:48 -------- d-----w- c:\program files\M1N1
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Malwarebytes
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 10:10 . 2009-09-01 10:10 -------- d-sh--w- c:\documents and settings\Cubby\PrivacIE
2009-09-01 10:01 . 2009-09-01 10:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-01 10:00 . 2009-09-01 10:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-31 20:54 . 2009-08-31 20:54 -------- d-sh--w- c:\documents and settings\Cubby\IETldCache
2009-08-31 20:28 . 2009-08-31 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 11:20 . 2009-08-26 11:20 -------- d-----w- c:\program files\Media5 Software
2009-08-26 11:17 . 2002-12-03 07:11 143872 ----a-w- c:\windows\system32\NCTWMAFile.dll
2009-08-26 11:17 . 2002-12-03 07:07 168448 ----a-w- c:\windows\system32\NCTAudioPlayer.dll
2009-08-26 11:17 . 2002-12-03 07:02 491520 ----a-w- c:\windows\system32\NCTAudioFile.dll
2009-08-26 11:13 . 2009-08-26 11:13 -------- d-----w- c:\program files\WMA WAV MP3 to Audio CD Maker
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AVS4YOU
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\AVS4YOU
2009-08-25 01:26 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-28 14:28 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\iMesh
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMesh Applications
2009-08-24 18:58 . 2009-08-24 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\2BAB
2009-08-22 13:55 . 2009-08-22 14:03 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\CVS
2009-08-22 13:54 . 2009-08-31 20:07 -------- d-sh--w- c:\windows\ftpcache
2009-08-22 13:39 . 2009-08-22 13:39 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-21 00:40 . 2009-08-25 15:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 00:39 . 2009-08-21 00:39 -------- d-----w- c:\program files\LitexMedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 17:02 . 2009-06-16 17:02 88064 --sha-w- c:\windows\system32\pitivoni.dll
2009-09-14 11:57 . 2007-04-13 00:07 -------- d-----w- c:\program files\dl_Cats
2009-09-13 14:08 . 2009-06-13 14:08 88576 ------w- c:\windows\system32\dibiyowa.dll
2009-09-13 14:08 . 2007-09-13 16:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-11 00:09 . 2009-06-11 00:09 89088 --sha-w- c:\windows\system32\jubawiro.dll
2009-09-10 10:31 . 2009-06-10 10:31 88064 --sha-w- c:\windows\system32\vugivodi.dll
2009-09-09 10:31 . 2009-06-09 10:31 88064 --sha-w- c:\windows\system32\ropasaje.dll
2009-09-08 22:30 . 2009-06-08 22:30 88576 --sha-w- c:\windows\system32\jobobuwi.dll
2009-09-08 10:30 . 2009-06-08 10:30 88064 --sha-w- c:\windows\system32\tesifeke.dll
2009-09-07 14:48 . 2009-06-07 14:48 49664 --sha-w- c:\windows\system32\sohojire.dll
2009-09-01 21:59 . 2009-06-01 21:59 88064 --sha-w- c:\windows\system32\yoyijite.dll
2009-09-01 10:13 . 2006-08-22 06:33 -------- d-----w- c:\program files\Google
2009-09-01 00:58 . 2006-12-28 01:31 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Azureus
2009-08-31 20:04 . 2007-11-15 02:48 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Wave Systems Corp
2009-08-25 01:46 . 2008-01-08 19:03 -------- d-----w- c:\program files\MediaCoder
2009-08-22 13:38 . 2007-10-17 16:18 -------- d-----w- c:\program files\MSECache
2009-08-07 13:39 . 2006-09-13 17:27 93472 ----a-w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 11:33 . 2007-09-13 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-01 11:13 . 2009-03-28 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 23:49 . 2006-08-22 06:06 35001 ----a-w- c:\windows\system32\nvModes.dat
2009-07-31 19:27 . 2006-09-13 15:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AdobeUM
2009-07-19 22:00 . 2009-07-19 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-19 22:00 . 2009-06-18 13:57 -------- d-----w- c:\program files\Norton Security Scan
2009-07-19 22:00 . 2009-07-19 22:00 -------- d-----w- c:\program files\NortonInstaller
2009-07-19 22:00 . 2009-07-19 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2006-12-17 21:20 . 2006-12-17 21:20 36206039 -c--a-w- c:\program files\Top Producer Outlook Connector.EXE
2006-12-13 03:12 . 2007-02-08 21:35 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2007-02-08 21:35 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2007-02-08 21:35 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2007-02-08 21:35 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2007-02-08 21:35 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-15 21:30 . 2007-03-15 21:30 80 -csh--r- c:\windows\system32\67F454E4E8.dll
.

------- Sigcheck -------


[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-14 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-12 73728]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"domezudim"="c:\windows\system32\dibiyowa.dll" [2009-09-13 88576]

c:\documents and settings\Cubby\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-5-17 1220608]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{6c9ffc2b-36ba-4bc7-ae7f-e0d630dd57a2}"= "c:\windows\system32\dibiyowa.dll" [2009-09-13 88576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-04-24 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gakofitot"= {6c9ffc2b-36ba-4bc7-ae7f-e0d630dd57a2} - c:\windows\system32\dibiyowa.dll [2009-09-13 88576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=c:\windows\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbtpswx.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WebC_ActiveX4.22\\ptermX.exe"=
"c:\\Program Files\\Ericom Software\\PowerTerm WebConnect 5.6\\151.203.99.51\\ptermX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"8085:TCP"= 8085:TCP:ddnsfilter

R2 WILPAR;Wordcraft Parallel Driver;c:\windows\system32\drivers\WILPAR.SYS [9/1/2006 11:40 AM 22976]
S1 Filter;Filter;\??\c:\windows\system32\drivers\Filter.sys --> c:\windows\system32\drivers\Filter.sys [?]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [9/5/2006 10:41 AM 50176]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [9/5/2006 10:41 AM 6096]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [9/5/2006 10:41 AM 81056]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [5/17/2007 2:28 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [5/17/2007 2:28 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [5/17/2007 2:28 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [5/17/2007 2:28 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [5/17/2007 2:28 PM 69632]
S3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2/16/2008 12:40 PM 26525]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2008-01-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-07 07:04]

2009-09-03 c:\windows\Tasks\Norton Security Scan for Cubby.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 16:21]

2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{522C9FDF-90D3-4175-A7FB-7B976A9CAC8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-09-02 c:\windows\Tasks\{CB904F16-01AA-4E35-81DF-0F9BCF531682}_MACDONALDWOOD_Cubby.job
- c:\windows\system32\mobsync.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
LSP: vlsp.dll
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: PUFLITE - hxxp://cubbyfitts.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cab
FF - ProfilePath - c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Mozilla\Firefox\Profiles\xf0e1ri2.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.imesh.com/
FF - prefs.js: browser.search.selectedEngine - iMesh Web Search
FF - prefs.js: keyword.URL - hxxp://search.imesh.com/webResults.html?src=ffb&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{ecfc4506-fcc3-4507-b2c1-27e4129eff84} - jifipanu.dll
HKLM-Run-zuvinesiza - tarozahi.dll
AddRemove-Adobe Photoshop 5.5 - c:\windows\ISUNINST.EXE -fc:\program files\Adobe\Photoshop 5.5\Uninst.isu
AddRemove-RCA Detective_is1 - c:\documents and settings\cubby.MACDONALDWOOD\My Documents\RCA Detective\unins000.exe
AddRemove-RCA Memory Manager_is1 - c:\documents and settings\cubby.MACDONALDWOOD\My Documents\RCA Memory Manager\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1823468856-3774011236-2554016227-1605\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1C9602E9-0078-28D7-9D74-7CB879902A53}*]
"hakohkpfpeeclemj"=hex:6a,61,6f,70,6b,64,6f,66,6b,6d,65,68,69,69,66,67,68,68,
6c,63,00,00
"iamoongcjdkkmbbope"=hex:6a,61,6f,70,6b,64,6f,66,63,6e,6d,66,6e,61,64,64,61,6b,
6c,64,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,97,65,98,77,df,
c4,d9,d5,e2,63,26,f1,3f,c8,ff,68,26,da,4a,51,2c,18,5c,9b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,c0,d8,10,c6,fc,
d8,85,02,6a,9c,d6,61,af,45,84,18,63,98,aa,41,9d,27,22,f8,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,77,6b,0f,1c,e2,
18,6e,17,ff,7c,85,e0,43,d4,0e,fe,42,e8,9f,e8,ec,72,c5,99,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,93,ca,7f,74,98,
a9,19,16,86,8c,21,01,be,91,eb,e7,18,97,a8,58,fe,a9,4e,79,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,3c,0e,eb,90,42,
fa,06,cb,f5,1d,4d,73,a8,13,5c,05,6b,83,dc,d8,36,37,17,f7,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,50,cf,42,b4,96,
4a,7b,52,df,20,58,62,78,6b,cf,c8,df,e7,7e,bd,d5,e9,01,09,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,cb,53,db,0d,94,
5e,6e,68,fb,a7,78,e6,12,2f,9a,ea,6f,2a,ed,60,b2,d1,47,83,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ff,57,35,74,eb,
c0,05,20,01,3a,48,fc,e8,04,4a,f1,f1,75,68,bb,bf,e2,2e,a4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a9,be,9e,98,8b,
17,38,7b,f6,0f,4e,58,98,5b,89,c9,42,b2,98,75,e4,2f,3b,36,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c2,82,54,f6,10,
e3,07,8e,3d,ce,ea,26,2d,45,aa,78,ee,29,88,ea,c4,c6,75,12,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2d,db,c2,de,4b,
e1,3d,b4,2a,b7,cc,b5,b9,7f,41,e7,68,33,58,56,d5,cb,db,4d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,62,be,74,45,21,
51,65,c7,6c,43,2d,1e,aa,22,2f,9c,08,b7,02,b6,70,38,f2,30,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\vlsp.dll

- - - - - - - > 'explorer.exe'(1136)
c:\windows\system32\WININET.dll
c:\windows\system32\dibiyowa.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\vlsp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\lexbces.exE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\windows\system32\dlbtcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\BCMWLTRY.EXE
.
**************************************************************************
.
Completion time: 2009-09-17 20:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 00:05

Pre-Run: 35,583,873,024 bytes free
Post-Run: 35,673,800,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

471 --- E O F --- 2009-08-26 17:40

I think Windows did an "Update" which took effect upon reboot....
also Once combofix started it asked me to click "OK" to update to a newer version...everything else went smoothly.

ComboFix 09-09-17.04 - Cubby 09/17/2009 21:15.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.496 [GMT -4:00]
Running from: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

FILE ::
"c:\windows\bk23567.dat"
"c:\windows\ozebe.dat"
"c:\windows\system32\dibiyowa.dll"
"c:\windows\system32\jobobuwi.dll"
"c:\windows\system32\jubawiro.dll"
"c:\windows\system32\pitivoni.dll"
"c:\windows\system32\ropasaje.dll"
"c:\windows\system32\sohojire.dll"
"c:\windows\system32\tesifeke.dll"
"c:\windows\system32\vugivodi.dll"
"c:\windows\system32\yoyijite.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bk23567.dat
c:\windows\ozebe.dat
c:\windows\system32\jobobuwi.dll
c:\windows\system32\jubawiro.dll
c:\windows\system32\pitivoni.dll
c:\windows\system32\ropasaje.dll
c:\windows\system32\sohojire.dll
c:\windows\system32\tesifeke.dll
c:\windows\system32\vugivodi.dll
c:\windows\system32\yoyijite.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FILTER
-------\Service_Filter


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-16 23:57 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-16 17:14 . 2009-09-16 17:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-13 00:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 00:07 . 2009-09-16 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 00:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 18:37 . 2009-09-01 18:37 -------- d-----w- C:\_OTM
2009-09-01 15:53 . 2009-09-01 18:48 -------- d-----w- c:\program files\M1N1
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Malwarebytes
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 10:10 . 2009-09-01 10:10 -------- d-sh--w- c:\documents and settings\Cubby\PrivacIE
2009-09-01 10:01 . 2009-09-01 10:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-01 10:00 . 2009-09-01 10:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-31 20:54 . 2009-08-31 20:54 -------- d-sh--w- c:\documents and settings\Cubby\IETldCache
2009-08-31 20:28 . 2009-08-31 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 11:20 . 2009-08-26 11:20 -------- d-----w- c:\program files\Media5 Software
2009-08-26 11:17 . 2002-12-03 07:11 143872 ----a-w- c:\windows\system32\NCTWMAFile.dll
2009-08-26 11:17 . 2002-12-03 07:07 168448 ----a-w- c:\windows\system32\NCTAudioPlayer.dll
2009-08-26 11:17 . 2002-12-03 07:02 491520 ----a-w- c:\windows\system32\NCTAudioFile.dll
2009-08-26 11:13 . 2009-08-26 11:13 -------- d-----w- c:\program files\WMA WAV MP3 to Audio CD Maker
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AVS4YOU
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\AVS4YOU
2009-08-25 01:26 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-28 14:28 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\iMesh
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMesh Applications
2009-08-24 18:58 . 2009-08-24 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\2BAB
2009-08-22 13:55 . 2009-08-22 14:03 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\CVS
2009-08-22 13:54 . 2009-08-31 20:07 -------- d-sh--w- c:\windows\ftpcache
2009-08-22 13:39 . 2009-08-22 13:39 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-21 00:40 . 2009-08-25 15:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 00:39 . 2009-08-21 00:39 -------- d-----w- c:\program files\LitexMedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 01:06 . 2009-03-28 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-17 01:25 . 2007-04-13 00:07 -------- d-----w- c:\program files\dl_Cats
2009-09-13 14:08 . 2009-06-13 14:08 88576 ----a-w- c:\windows\system32\dibiyowa.dll
2009-09-13 14:08 . 2007-09-13 16:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-01 10:13 . 2006-08-22 06:33 -------- d-----w- c:\program files\Google
2009-09-01 00:58 . 2006-12-28 01:31 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Azureus
2009-08-31 20:04 . 2007-11-15 02:48 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Wave Systems Corp
2009-08-25 01:46 . 2008-01-08 19:03 -------- d-----w- c:\program files\MediaCoder
2009-08-22 13:38 . 2007-10-17 16:18 -------- d-----w- c:\program files\MSECache
2009-08-07 13:39 . 2006-09-13 17:27 93472 ----a-w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 11:33 . 2007-09-13 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-31 23:49 . 2006-08-22 06:06 35001 ----a-w- c:\windows\system32\nvModes.dat
2009-07-31 19:27 . 2006-09-13 15:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AdobeUM
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-04 03:33 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2006-12-17 21:20 . 2006-12-17 21:20 36206039 -c--a-w- c:\program files\Top Producer Outlook Connector.EXE
2006-12-13 03:12 . 2007-02-08 21:35 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2007-02-08 21:35 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2007-02-08 21:35 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2007-02-08 21:35 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2007-02-08 21:35 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-15 21:30 . 2007-03-15 21:30 80 -csha-r- c:\windows\system32\67F454E4E8.dll
.

------- Sigcheck -------


[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-17_00.01.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-18 01:24 . 2009-09-18 01:24 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
+ 2006-09-13 16:48 . 2009-09-18 01:07 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-08-04 10:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2004-08-04 10:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
- 2006-09-13 16:48 . 2009-08-27 12:57 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-09-18 01:05 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-18 01:05 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-18 01:05 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-25 18:57 . 2009-08-25 18:57 5518336 c:\windows\Installer\567e188.msp
+ 2009-09-18 01:07 . 2009-08-28 18:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-18 01:06 . 2009-09-18 01:06 15709696 c:\windows\Installer\567e176.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-14 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-12 73728]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"domezudim"="c:\windows\system32\dibiyowa.dll" [2009-09-13 88576]

c:\documents and settings\Cubby\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-5-17 1220608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{a292acc6-cf08-4d50-83ab-cb5c6eef5773}"= "c:\windows\system32\dibiyowa.dll" [2009-09-13 88576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-04-24 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sagujesur"= {a292acc6-cf08-4d50-83ab-cb5c6eef5773} - c:\windows\system32\dibiyowa.dll [2009-09-13 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=c:\windows\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbtpswx.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WebC_ActiveX4.22\\ptermX.exe"=
"c:\\Program Files\\Ericom Software\\PowerTerm WebConnect 5.6\\151.203.99.51\\ptermX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 WILPAR;Wordcraft Parallel Driver;c:\windows\system32\drivers\WILPAR.SYS [9/1/2006 11:40 AM 22976]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [9/5/2006 10:41 AM 50176]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [9/5/2006 10:41 AM 6096]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [9/5/2006 10:41 AM 81056]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [5/17/2007 2:28 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [5/17/2007 2:28 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [5/17/2007 2:28 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [5/17/2007 2:28 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [5/17/2007 2:28 PM 69632]
S3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2/16/2008 12:40 PM 26525]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-03 c:\windows\Tasks\Norton Security Scan for Cubby.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 16:21]

2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{522C9FDF-90D3-4175-A7FB-7B976A9CAC8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-09-02 c:\windows\Tasks\{CB904F16-01AA-4E35-81DF-0F9BCF531682}_MACDONALDWOOD_Cubby.job
- c:\windows\system32\mobsync.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
LSP: vlsp.dll
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: PUFLITE - hxxp://cubbyfitts.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cab
FF - ProfilePath - c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Mozilla\Firefox\Profiles\xf0e1ri2.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 21:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,97,65,98,77,df,
c4,d9,d5,e2,63,26,f1,3f,c8,ff,68,26,da,4a,51,2c,18,5c,9b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,c0,d8,10,c6,fc,
d8,85,02,6a,9c,d6,61,af,45,84,18,63,98,aa,41,9d,27,22,f8,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,77,6b,0f,1c,e2,
18,6e,17,ff,7c,85,e0,43,d4,0e,fe,42,e8,9f,e8,ec,72,c5,99,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,93,ca,7f,74,98,
a9,19,16,86,8c,21,01,be,91,eb,e7,18,97,a8,58,fe,a9,4e,79,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,3c,0e,eb,90,42,
fa,06,cb,f5,1d,4d,73,a8,13,5c,05,6b,83,dc,d8,36,37,17,f7,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,50,cf,42,b4,96,
4a,7b,52,df,20,58,62,78,6b,cf,c8,df,e7,7e,bd,d5,e9,01,09,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,cb,53,db,0d,94,
5e,6e,68,fb,a7,78,e6,12,2f,9a,ea,6f,2a,ed,60,b2,d1,47,83,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ff,57,35,74,eb,
c0,05,20,01,3a,48,fc,e8,04,4a,f1,f1,75,68,bb,bf,e2,2e,a4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a9,be,9e,98,8b,
17,38,7b,f6,0f,4e,58,98,5b,89,c9,42,b2,98,75,e4,2f,3b,36,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c2,82,54,f6,10,
e3,07,8e,3d,ce,ea,26,2d,45,aa,78,ee,29,88,ea,c4,c6,75,12,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2d,db,c2,de,4b,
e1,3d,b4,2a,b7,cc,b5,b9,7f,41,e7,68,33,58,56,d5,cb,db,4d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,62,be,74,45,21,
51,65,c7,6c,43,2d,1e,aa,22,2f,9c,08,b7,02,b6,70,38,f2,30,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\dibiyowa.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\vlsp.dll

- - - - - - - > 'explorer.exe'(3480)
c:\windows\system32\WININET.dll
c:\windows\system32\dibiyowa.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\vlsp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\lexbces.exE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\windows\system32\dlbtcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
.
**************************************************************************
.
Completion time: 2009-09-18 21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 01:29
ComboFix2.txt 2009-09-17 00:05

Pre-Run: 35,581,464,576 bytes free
Post-Run: 35,537,281,024 bytes free

431 --- E O F --- 2009-09-18 01:09

This malware is stubborn.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   File::
   c:\windows\system32\dibiyowa.dll
   
   Registry::
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "domezudim"=-
   [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
   "{a292acc6-cf08-4d50-83ab-cb5c6eef5773}"=-
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   "sagujesur"=-
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

Tres Stubborn! Things seem to be getting better?

ComboFix 09-09-17.04 - Cubby 09/18/2009 8:29.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.642 [GMT -4:00]
Running from: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

FILE ::
"c:\windows\system32\dibiyowa.dll"
.
The following files were disabled during the run:
c:\windows\system32\dibiyowa.dll


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-16 23:57 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-16 17:14 . 2009-09-16 17:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-13 00:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 00:07 . 2009-09-16 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 00:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 18:37 . 2009-09-01 18:37 -------- d-----w- C:\_OTM
2009-09-01 15:53 . 2009-09-01 18:48 -------- d-----w- c:\program files\M1N1
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Malwarebytes
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 10:10 . 2009-09-01 10:10 -------- d-sh--w- c:\documents and settings\Cubby\PrivacIE
2009-09-01 10:01 . 2009-09-01 10:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-01 10:00 . 2009-09-01 10:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-31 20:54 . 2009-08-31 20:54 -------- d-sh--w- c:\documents and settings\Cubby\IETldCache
2009-08-31 20:28 . 2009-08-31 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 11:20 . 2009-08-26 11:20 -------- d-----w- c:\program files\Media5 Software
2009-08-26 11:17 . 2002-12-03 07:11 143872 ----a-w- c:\windows\system32\NCTWMAFile.dll
2009-08-26 11:17 . 2002-12-03 07:07 168448 ----a-w- c:\windows\system32\NCTAudioPlayer.dll
2009-08-26 11:17 . 2002-12-03 07:02 491520 ----a-w- c:\windows\system32\NCTAudioFile.dll
2009-08-26 11:13 . 2009-08-26 11:13 -------- d-----w- c:\program files\WMA WAV MP3 to Audio CD Maker
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AVS4YOU
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\AVS4YOU
2009-08-25 01:26 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-28 14:28 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\iMesh
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMesh Applications
2009-08-24 18:58 . 2009-08-24 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\2BAB
2009-08-22 13:55 . 2009-08-22 14:03 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\CVS
2009-08-22 13:54 . 2009-08-31 20:07 -------- d-sh--w- c:\windows\ftpcache
2009-08-22 13:39 . 2009-08-22 13:39 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-21 00:40 . 2009-08-25 15:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 00:39 . 2009-08-21 00:39 -------- d-----w- c:\program files\LitexMedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 01:23 . 2009-03-28 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-17 01:25 . 2007-04-13 00:07 -------- d-----w- c:\program files\dl_Cats
2009-09-13 14:08 . 2009-06-13 14:08 88576 ----a-w- c:\windows\system32\dibiyowa.dll.vir
2009-09-13 14:08 . 2007-09-13 16:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-01 10:13 . 2006-08-22 06:33 -------- d-----w- c:\program files\Google
2009-09-01 00:58 . 2006-12-28 01:31 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Azureus
2009-08-31 20:04 . 2007-11-15 02:48 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Wave Systems Corp
2009-08-25 01:46 . 2008-01-08 19:03 -------- d-----w- c:\program files\MediaCoder
2009-08-22 13:38 . 2007-10-17 16:18 -------- d-----w- c:\program files\MSECache
2009-08-07 13:39 . 2006-09-13 17:27 93472 ----a-w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 11:33 . 2007-09-13 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-31 23:49 . 2006-08-22 06:06 35001 ----a-w- c:\windows\system32\nvModes.dat
2009-07-31 19:27 . 2006-09-13 15:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AdobeUM
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-04 03:33 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2006-12-17 21:20 . 2006-12-17 21:20 36206039 -c--a-w- c:\program files\Top Producer Outlook Connector.EXE
2006-12-13 03:12 . 2007-02-08 21:35 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2007-02-08 21:35 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2007-02-08 21:35 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2007-02-08 21:35 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2007-02-08 21:35 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-15 21:30 . 2007-03-15 21:30 80 -csha-r- c:\windows\system32\67F454E4E8.dll
.

------- Sigcheck -------


[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-17_00.01.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-18 01:24 . 2009-09-18 01:24 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
+ 2006-09-13 16:48 . 2009-09-18 01:07 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-08-04 10:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2004-08-04 10:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
- 2006-09-13 16:48 . 2009-08-27 12:57 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-09-18 01:05 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-18 01:05 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-18 01:05 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-25 18:57 . 2009-08-25 18:57 5518336 c:\windows\Installer\567e188.msp
+ 2009-09-18 01:07 . 2009-08-28 18:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-18 01:06 . 2009-09-18 01:06 15709696 c:\windows\Installer\567e176.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-14 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-12 73728]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Cubby\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-5-17 1220608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-04-24 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=c:\windows\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbtpswx.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WebC_ActiveX4.22\\ptermX.exe"=
"c:\\Program Files\\Ericom Software\\PowerTerm WebConnect 5.6\\151.203.99.51\\ptermX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 WILPAR;Wordcraft Parallel Driver;c:\windows\system32\drivers\WILPAR.SYS [9/1/2006 11:40 AM 22976]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [9/5/2006 10:41 AM 50176]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [9/5/2006 10:41 AM 6096]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [9/5/2006 10:41 AM 81056]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [5/17/2007 2:28 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [5/17/2007 2:28 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [5/17/2007 2:28 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [5/17/2007 2:28 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [5/17/2007 2:28 PM 69632]
S3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2/16/2008 12:40 PM 26525]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-03 c:\windows\Tasks\Norton Security Scan for Cubby.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 16:21]

2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{522C9FDF-90D3-4175-A7FB-7B976A9CAC8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-09-02 c:\windows\Tasks\{CB904F16-01AA-4E35-81DF-0F9BCF531682}_MACDONALDWOOD_Cubby.job
- c:\windows\system32\mobsync.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
LSP: vlsp.dll
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: PUFLITE - hxxp://cubbyfitts.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cab
FF - ProfilePath - c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Mozilla\Firefox\Profiles\xf0e1ri2.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-domezudim - c:\windows\system32\dibiyowa.dll
SharedTaskScheduler-{a292acc6-cf08-4d50-83ab-cb5c6eef5773} - c:\windows\system32\dibiyowa.dll
SSODL-sagujesur-{a292acc6-cf08-4d50-83ab-cb5c6eef5773} - c:\windows\system32\dibiyowa.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 08:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,97,65,98,77,df,
c4,d9,d5,e2,63,26,f1,3f,c8,ff,68,26,da,4a,51,2c,18,5c,9b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,c0,d8,10,c6,fc,
d8,85,02,6a,9c,d6,61,af,45,84,18,63,98,aa,41,9d,27,22,f8,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,77,6b,0f,1c,e2,
18,6e,17,ff,7c,85,e0,43,d4,0e,fe,42,e8,9f,e8,ec,72,c5,99,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,93,ca,7f,74,98,
a9,19,16,86,8c,21,01,be,91,eb,e7,18,97,a8,58,fe,a9,4e,79,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,3c,0e,eb,90,42,
fa,06,cb,f5,1d,4d,73,a8,13,5c,05,6b,83,dc,d8,36,37,17,f7,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,50,cf,42,b4,96,
4a,7b,52,df,20,58,62,78,6b,cf,c8,df,e7,7e,bd,d5,e9,01,09,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,cb,53,db,0d,94,
5e,6e,68,fb,a7,78,e6,12,2f,9a,ea,6f,2a,ed,60,b2,d1,47,83,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ff,57,35,74,eb,
c0,05,20,01,3a,48,fc,e8,04,4a,f1,f1,75,68,bb,bf,e2,2e,a4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a9,be,9e,98,8b,
17,38,7b,f6,0f,4e,58,98,5b,89,c9,42,b2,98,75,e4,2f,3b,36,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c2,82,54,f6,10,
e3,07,8e,3d,ce,ea,26,2d,45,aa,78,ee,29,88,ea,c4,c6,75,12,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2d,db,c2,de,4b,
e1,3d,b4,2a,b7,cc,b5,b9,7f,41,e7,68,33,58,56,d5,cb,db,4d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,62,be,74,45,21,
51,65,c7,6c,43,2d,1e,aa,22,2f,9c,08,b7,02,b6,70,38,f2,30,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\dibiyowa.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\vlsp.dll

- - - - - - - > 'explorer.exe'(868)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\vlsp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-18 8:38
ComboFix-quarantined-files.txt 2009-09-18 12:37
ComboFix2.txt 2009-09-18 01:29
ComboFix3.txt 2009-09-17 00:05

Pre-Run: 35,551,289,344 bytes free
Post-Run: 35,530,416,128 bytes free

385 --- E O F --- 2009-09-18 01:09

Hello.
This infection is very messy, and has caused a lot of trouble for this machine. We MIGHT be able to save it, now the malicious files have gone, but they've taken 2 system files with them, so were gonna need to replace them.

Do you have your XP disc in case we need it?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
beep.sys
eventlog.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Im afraid the cd has gone missing.
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:48 on 18/09/2009 by Cubby (Administrator - Elevation successful)

========== filefind ==========

Searching for "beep.sys"
C:\i386\beep.sys --a--c 4224 bytes [11:53 30/08/2006] [10:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--c 55808 bytes [11:58 30/08/2006] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [14:01 29/08/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -----c 56320 bytes [10:52 28/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

-=End Of File=-

ComboFix 09-09-17.04 - Cubby 09/18/2009 18:45.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.600 [GMT -4:00]
Running from: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.
The following files were disabled during the run:
c:\windows\system32\dibiyowa.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\i386\beep.sys --> c:\windows\system32\drivers\beep.sys
c:\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 22:45 . 2004-08-04 10:00 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-18 22:45 . 2004-08-04 10:00 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-09-18 22:45 . 2004-08-04 10:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-18 22:45 . 2004-08-04 10:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-16 23:57 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-16 17:14 . 2009-09-16 17:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-13 00:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 00:07 . 2009-09-16 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 00:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 18:37 . 2009-09-01 18:37 -------- d-----w- C:\_OTM
2009-09-01 15:53 . 2009-09-01 18:48 -------- d-----w- c:\program files\M1N1
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Malwarebytes
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 10:10 . 2009-09-01 10:10 -------- d-sh--w- c:\documents and settings\Cubby\PrivacIE
2009-09-01 10:01 . 2009-09-01 10:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-01 10:00 . 2009-09-01 10:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-31 20:54 . 2009-08-31 20:54 -------- d-sh--w- c:\documents and settings\Cubby\IETldCache
2009-08-31 20:28 . 2009-08-31 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 11:20 . 2009-08-26 11:20 -------- d-----w- c:\program files\Media5 Software
2009-08-26 11:17 . 2002-12-03 07:11 143872 ----a-w- c:\windows\system32\NCTWMAFile.dll
2009-08-26 11:17 . 2002-12-03 07:07 168448 ----a-w- c:\windows\system32\NCTAudioPlayer.dll
2009-08-26 11:17 . 2002-12-03 07:02 491520 ----a-w- c:\windows\system32\NCTAudioFile.dll
2009-08-26 11:13 . 2009-08-26 11:13 -------- d-----w- c:\program files\WMA WAV MP3 to Audio CD Maker
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AVS4YOU
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\AVS4YOU
2009-08-25 01:26 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-28 14:28 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\iMesh
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMesh Applications
2009-08-24 18:58 . 2009-08-24 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\2BAB
2009-08-22 13:55 . 2009-08-22 14:03 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\CVS
2009-08-22 13:54 . 2009-08-31 20:07 -------- d-sh--w- c:\windows\ftpcache
2009-08-22 13:39 . 2009-08-22 13:39 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-21 00:40 . 2009-08-25 15:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 00:39 . 2009-08-21 00:39 -------- d-----w- c:\program files\LitexMedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 01:23 . 2009-03-28 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-17 01:25 . 2007-04-13 00:07 -------- d-----w- c:\program files\dl_Cats
2009-09-13 14:08 . 2009-06-13 14:08 88576 ----a-w- c:\windows\system32\dibiyowa.dll.vir
2009-09-13 14:08 . 2007-09-13 16:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-01 10:13 . 2006-08-22 06:33 -------- d-----w- c:\program files\Google
2009-09-01 00:58 . 2006-12-28 01:31 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Azureus
2009-08-31 20:04 . 2007-11-15 02:48 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Wave Systems Corp
2009-08-25 01:46 . 2008-01-08 19:03 -------- d-----w- c:\program files\MediaCoder
2009-08-22 13:38 . 2007-10-17 16:18 -------- d-----w- c:\program files\MSECache
2009-08-07 13:39 . 2006-09-13 17:27 93472 ----a-w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 11:33 . 2007-09-13 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-31 23:49 . 2006-08-22 06:06 35001 ----a-w- c:\windows\system32\nvModes.dat
2009-07-31 19:27 . 2006-09-13 15:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AdobeUM
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-04 03:33 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2006-12-17 21:20 . 2006-12-17 21:20 36206039 -c--a-w- c:\program files\Top Producer Outlook Connector.EXE
2006-12-13 03:12 . 2007-02-08 21:35 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2007-02-08 21:35 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2007-02-08 21:35 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2007-02-08 21:35 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2007-02-08 21:35 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-15 21:30 . 2007-03-15 21:30 80 -csha-r- c:\windows\system32\67F454E4E8.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_00.01.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-18 01:24 . 2009-09-18 01:24 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
+ 2006-09-13 16:48 . 2009-09-18 01:07 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-08-04 10:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2004-08-04 10:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
- 2006-09-13 16:48 . 2009-08-27 12:57 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-13 16:48 . 2009-09-18 01:07 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-13 16:48 . 2009-08-27 12:57 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-09-18 01:05 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-18 01:05 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-18 01:05 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-04 10:00 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-04 10:00 . 2008-06-18 10:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-25 18:57 . 2009-08-25 18:57 5518336 c:\windows\Installer\567e188.msp
+ 2009-09-18 01:07 . 2009-08-28 18:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-18 01:06 . 2009-09-18 01:06 15709696 c:\windows\Installer\567e176.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-14 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-12 73728]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"domezudim"="c:\windows\system32\dibiyowa.dll" [BU]

c:\documents and settings\Cubby\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-5-17 1220608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{a292acc6-cf08-4d50-83ab-cb5c6eef5773}"= "c:\windows\system32\dibiyowa.dll" [BU]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-04-24 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sagujesur"= {a292acc6-cf08-4d50-83ab-cb5c6eef5773} - c:\windows\system32\dibiyowa.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=c:\windows\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbtpswx.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WebC_ActiveX4.22\\ptermX.exe"=
"c:\\Program Files\\Ericom Software\\PowerTerm WebConnect 5.6\\151.203.99.51\\ptermX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 WILPAR;Wordcraft Parallel Driver;c:\windows\system32\drivers\WILPAR.SYS [9/1/2006 11:40 AM 22976]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [9/5/2006 10:41 AM 50176]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [9/5/2006 10:41 AM 6096]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [9/5/2006 10:41 AM 81056]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [5/17/2007 2:28 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [5/17/2007 2:28 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [5/17/2007 2:28 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [5/17/2007 2:28 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [5/17/2007 2:28 PM 69632]
S3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2/16/2008 12:40 PM 26525]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-03 c:\windows\Tasks\Norton Security Scan for Cubby.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 16:21]

2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{522C9FDF-90D3-4175-A7FB-7B976A9CAC8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-09-02 c:\windows\Tasks\{CB904F16-01AA-4E35-81DF-0F9BCF531682}_MACDONALDWOOD_Cubby.job
- c:\windows\system32\mobsync.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
LSP: vlsp.dll
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: PUFLITE - hxxp://cubbyfitts.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cab
FF - ProfilePath - c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Mozilla\Firefox\Profiles\xf0e1ri2.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,97,65,98,77,df,
c4,d9,d5,e2,63,26,f1,3f,c8,ff,68,26,da,4a,51,2c,18,5c,9b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,c0,d8,10,c6,fc,
d8,85,02,6a,9c,d6,61,af,45,84,18,63,98,aa,41,9d,27,22,f8,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,77,6b,0f,1c,e2,
18,6e,17,ff,7c,85,e0,43,d4,0e,fe,42,e8,9f,e8,ec,72,c5,99,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,93,ca,7f,74,98,
a9,19,16,86,8c,21,01,be,91,eb,e7,18,97,a8,58,fe,a9,4e,79,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,3c,0e,eb,90,42,
fa,06,cb,f5,1d,4d,73,a8,13,5c,05,6b,83,dc,d8,36,37,17,f7,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,50,cf,42,b4,96,
4a,7b,52,df,20,58,62,78,6b,cf,c8,df,e7,7e,bd,d5,e9,01,09,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,cb,53,db,0d,94,
5e,6e,68,fb,a7,78,e6,12,2f,9a,ea,6f,2a,ed,60,b2,d1,47,83,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ff,57,35,74,eb,
c0,05,20,01,3a,48,fc,e8,04,4a,f1,f1,75,68,bb,bf,e2,2e,a4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a9,be,9e,98,8b,
17,38,7b,f6,0f,4e,58,98,5b,89,c9,42,b2,98,75,e4,2f,3b,36,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c2,82,54,f6,10,
e3,07,8e,3d,ce,ea,26,2d,45,aa,78,ee,29,88,ea,c4,c6,75,12,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2d,db,c2,de,4b,
e1,3d,b4,2a,b7,cc,b5,b9,7f,41,e7,68,33,58,56,d5,cb,db,4d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,62,be,74,45,21,
51,65,c7,6c,43,2d,1e,aa,22,2f,9c,08,b7,02,b6,70,38,f2,30,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\dibiyowa.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\vlsp.dll

- - - - - - - > 'explorer.exe'(860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\vlsp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-18 18:52
ComboFix-quarantined-files.txt 2009-09-18 22:51
ComboFix2.txt 2009-09-18 12:38
ComboFix3.txt 2009-09-18 01:29
ComboFix4.txt 2009-09-17 00:05

Pre-Run: 35,547,770,880 bytes free
Post-Run: 35,524,599,808 bytes free

390 --- E O F --- 2009-09-18 01:09

is it gone? I have not used my machine since above post.

Hello.
First off, DO NOT go online with this machine.

Second, are you only running Norton on trial? I can see that it's oudated, meaning it has an old database and needs updating.

Let me know.