NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

I'VE BEEN HIT 1ST BY THE TROJAN GENERIC.DX!PRM AND NOW GENERIC DOWNLOADER.X!DXZ. McAFEE CATCHES THE TROJAN AND HAS ALLOWED ME TO BLOCK CHANGES TO THE REGISTRY. HOWEVER, THE TROJAN OPENED UP AN UNWANTED WEBSITE (BULKMASTERS.COM???....NOT SURE) WHICH I COULDN'T CLOSE AND COULD NOT PERFORM ANY FUNCTIONS SUCH AS RUNNING MY MALWARE ANTISPYWARE PROGRAM. I SHUT DOWN MY DESKTOP AND REBOOTED AND NOW I'M FROZE AT THE BACKGROUND SCREEN WITH McAFEE CONTINUALLY FLASHING THE TROJAN REMOVAL ALERT FOR THE GENERIC DOWNLOADR.X!DXZ TROJAN. THE LOCATION OF THE TROJAN FILE IS C:\WINDOWS\SYSTEM32\DFRGUI32.DLL.

PLEASE HELP ASAP!! I'M SEARCHING ON MY LAPTOP FOR POSSIBLE SOLUTIONS AND THIS SITE WAS RECCOMENDED. I'M A NEW MEMBER.

THANKS FOR YOUR ASSISTANCE!

Hello and welcome to GeekPolice.net.

My name is Crush but, you can call me Chris, and I will do my best to help get your problem resolved today.

I am currently a student in GeekPolice Academy, and will be a little delayed on each reply, as my instructors must review and approve each reply.

http://www.GeekPolice.net/virus-spyware-malware-removal-f11/do-you-want-to-learn-how-to-fight-malware-join-GeekPolice-academy-t17111.htm

If you have any questions, please ask, and I will do my best to get to the question promptly.

Please wait here, while I get the first set of instructions for you.

Hi Sparty,

First, please don't use all caps. It makes posts difficult to read and you come off as yelling. Thanks
======

Please reboot your PC. However, instead of letting it boot normally hit F8

In the menu you are presented with choose Safe Mode With Networking

Once there please do the following:

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Chris, thanks for your help! I actually tried to post this reply a short time ago (and it wasn't in all caps :-) but when I sent the reply, I was informed that your latest reply was posted and my reply didn't post.

In the interim since posting this topic, I was able to restart in safemode and also run my Antimalwarebytes program which detected 23 different infected files. Upon restart, I'm able to connect to the internet and run other programs. However, upon restart a RUNDLL error message flashed which read "Error loading piunbara.dll. Specified module could not be found." Also upon restart, whenever I do a Google search for a website (Geek Police.net for example) and I click on the website addresss, I'm directed to a totally different site each time (i.e.; blinkx.com or some other unrelated website) rather than the requested website. I can type the address in the address bar and I can click on a bookmarked favorite address with no problem. One other thing I noticed on restart was that I had a new icon containing a notepad document titled "hs_err_pid2556". Should I still download and run the ComboFix?

Yes. Please download and run ComboFix. There may still be some stuff leftover. Also, I will need the logfiles from any programs you've run. Thanks

Following is the ComboFix log. I'm still getting the same RUNDLL error message referenced in prior message on startup. Also, while I was typing this reply, I've had seperate browser windows open up for random websites (ipromote.com & allstate.com).....obviously something is still amiss. I'm also posting the log(s) from 2 seperate AntiMalwarebytes scans along with the log copied from the new icon l referenced earlier that was loaded on to my desktop. I look forward to hearing from you soon. Thanks!

Here is the ComboFix Log:

ComboFix 10-05-28.02 - Boss 05/28/2010 17:41:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.166 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Boss\Application Data\02000000f27ac5f7922C.manifest
c:\documents and settings\Boss\Application Data\02000000f27ac5f7922O.manifest
c:\documents and settings\Boss\Application Data\02000000f27ac5f7922P.manifest
c:\documents and settings\Boss\Application Data\02000000f27ac5f7922S.manifest
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome.manifest
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome\content\_cfg.js
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome\content\c.js
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome\content\overlay.xul
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\install.rdf
c:\documents and settings\Boss\Local Settings\Application Data\Windows Server
c:\documents and settings\Boss\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Boss\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\program files\Common
c:\program files\Common\_helper.sig
c:\windows\jestertb.dll
c:\windows\Mcybaa.exe
c:\windows\system32\comrepl.exe
c:\windows\system32\hlp.dat

Infected copy of c:\windows\system32\drivers\FTDISK.SYS was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
2010-05-28 18:14 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\f36decbb.exe
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
2010-05-28 18:09 . 2010-05-28 18:09 50981 ----a-w- c:\windows\system32\areoghkfntcfn.exe
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
2010-05-28 18:08 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\8db3d791.exe
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\mzhjanoe.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\tevbxohl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 22:00 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-28 22:00 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-28 21:39 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:33 . 2004-06-21 16:16 -------- d-----w- c:\program files\Common Files\Real
2010-03-30 15:32 . 2006-03-04 19:06 -------- d-----w- c:\program files\Real
2010-03-30 15:32 . 2010-03-30 15:32 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2004-03-19 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB824141$\USER32.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CC5A190-E657-4C30-A101-C0A9252B9DAA}]
2010-05-25 05:38 309248 ----a-w- c:\windows\SYSTEM32\mzhjanoe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"MChk"="c:\windows\system32\tevbxohl.exe" [2010-05-24 40633]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 2:40 PM 24652]
S0 cadamg;cadamg; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S2 MSWU-8db3d791;MSWU-8db3d791;c:\windows\SYSTEM32\8db3d791.exe [5/28/2010 2:08 PM 75264]
S2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\SYSTEM32\f36decbb.exe [5/28/2010 2:14 PM 75264]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fyphhfvk
.
Contents of the 'Scheduled Tasks' folder

2010-05-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-04-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-05-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{101E208F-5D79-44F9-2C44-8ABE064649FF} - c:\windows\system32\tkncvqhujvmpdp.dll
BHO-{B3745075-1CA8-48D7-BB11-E71F974BEC43} - c:\windows\system32\piunbara.dll
HKCU-Run-rpyfmywx - c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo\jtqblxutssd.exe
HKLM-Run-IndividualMedical - c:\program files\Assurant Health\IMJA\Individual Medical v2.0\IM.exe
HKLM-Run-skb - piunbara.dll
HKLM-Run-rpyfmywx - c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo\jtqblxutssd.exe
Notify-28c60c73922 - c:\windows\system32\dfrgui32.dll
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-28 18:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-05-28 18:13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-28 22:13

Pre-Run: 59,766,145,024 bytes free
Post-Run: 60,105,039,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - F066A08767EC84633FE6E6EA0CA3B367





Here are the two (2) Malwarebytes logs:




Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

5/28/2010 3:53:27 PM
mbam-log-2010-05-28 (15-53-27).txt

Scan type: Quick scan
Objects scanned: 130721
Time elapsed: 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CscrptXt.CscrptXt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sszggoneeahor (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6b9d9fdd-cc26-42f7-a10e-216d01e76f51}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Boss\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Boss\Local Settings\Temp\onwasxmcre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\piunbara.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Boss\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Boss\Application Data\SystemProc\upd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\COMMDLG32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tkncvqhujvmpdp.dll (Trojan.Agent) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/28/2010 5:02:02 PM
mbam-log-2010-05-28 (17-02-02).txt

Scan type: Quick scan
Objects scanned: 6477
Time elapsed: 15 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\cadamg.sys (Rootkit.Agent) -> Delete on reboot.






Finally here is a copy of the log file loaded on my desktop titled "hs_err_pid2556" :




#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x1b00255c, pid=2556, tid=1740
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0_10-b03 mixed mode)
# Problematic frame:
# C [ImgUtil.dll+0x255c]
#

--------------- T H R E A D ---------------

Current thread (0x05c90c50): JavaThread "thread applet-vmain.class" [_thread_in_native, id=1740]

siginfo: ExceptionCode=0xc0000005, reading address 0x57000019

Registers:
EAX=0x00000000, EBX=0x2361bd70, ECX=0x08b7dba0, EDX=0x00000000
ESP=0x146af800, EBP=0x255a255a, ESI=0x2361bd70, EDI=0x05c90c50
EIP=0x1b00255c, EFLAGS=0x00210246

Top of Stack: (sp=0x146af800)
0x146af800: 146af800 2361bd70 146af830 2361c348
0x146af810: 00000000 2361bd70 146af82c 146af854
0x146af820: 1b012a64 00000000 1b016509 1d310a28
0x146af830: 1d394e88 1d394e88 146af838 2361bce7
0x146af840: 146af864 2361c348 00000000 2361bd08
0x146af850: 146af860 146af884 1b0129e3 1d3fbcd0
0x146af860: 1d310a28 1d394e88 146af868 2361b3c9
0x146af870: 146af89c 2361c348 00000000 2361b3d8

Instructions: (pc=0x1b00255c)
0x1b00254c: 90 8b ff 55 8b ec 53 8b 5d 10 56 33 f6 3b de 0f
0x1b00255c: 84 92 19 00 00 57 6a 40 89 33 bf 0e 00 07 80 e8


Stack: [0x145b0000,0x146b0000), sp=0x146af800, free space=1022k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [ImgUtil.dll+0x255c]

[error occurred during error reporting, step 120, id 0xc0000005]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j com.sun.media.sound.HeadspaceSoundbank.nOpenResource(Ljava/lang/String;)J+0
j com.sun.media.sound.HeadspaceSoundbank.initialize(Ljava/lang/String;)V+7
j com.sun.media.sound.HeadspaceSoundbank.(Ljava/net/URL;)V+89
j com.sun.media.sound.HsbParser.getSoundbank(Ljava/net/URL;)Ljavax/sound/midi/Soundbank;+5
j javax.sound.midi.MidiSystem.getSoundbank(Ljava/net/URL;)Ljavax/sound/midi/Soundbank;+36
j vmain.init()V+88
j sun.applet.AppletPanel.run()V+197
j java.lang.Thread.run()V+11
v ~StubRoutines::call_stub

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x02e9bd70 JavaThread "AWT-EventQueue-2" [_thread_blocked, id=4052]
0x08d9f788 JavaThread "Thread-22" [_thread_in_native, id=3992]
0x05d72408 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=3880]
0x05c91a20 JavaThread "Thread-20" [_thread_in_native, id=204]
0x08a742c8 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=2212]
0x08add830 JavaThread "AWT-Shutdown" [_thread_blocked, id=3368]
0x02ea6778 JavaThread "Thread-19" [_thread_in_native, id=2928]
=>0x05c90c50 JavaThread "thread applet-vmain.class" [_thread_in_native, id=1740]
0x08a74ee0 JavaThread "thread applet-vmain.class" [_thread_blocked, id=3864]
0x05ce3330 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=3456]
0x08b0da00 JavaThread "AWT-Windows" daemon [_thread_in_native, id=2016]
0x05d17bd8 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=3724]
0x05d74108 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=1288]
0x12040250 JavaThread "CompilerThread0" daemon [_thread_blocked, id=1912]
0x05de3cf8 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=1732]
0x05d7d688 JavaThread "Finalizer" daemon [_thread_blocked, id=1936]
0x08ceab80 JavaThread "Reference Handler" daemon [_thread_blocked, id=848]

Other Threads:
0x05e0e290 VMThread [id=3888]
0x05d2cde0 WatcherThread [id=2800]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
def new generation total 5184K, used 4039K [0x1d010000, 0x1d5a0000, 0x1d770000)
eden space 4672K, 86% used [0x1d010000, 0x1d401970, 0x1d4a0000)
from space 512K, 0% used [0x1d4a0000, 0x1d4a03d8, 0x1d520000)
to space 512K, 0% used [0x1d520000, 0x1d520000, 0x1d5a0000)
tenured generation total 67584K, used 48740K [0x1d770000, 0x21970000, 0x23010000)
the space 67584K, 72% used [0x1d770000, 0x207091b8, 0x20709200, 0x21970000)
compacting perm gen total 8192K, used 6311K [0x23010000, 0x23810000, 0x27010000)
the space 8192K, 77% used [0x23010000, 0x23639f08, 0x2363a000, 0x23810000)
No shared spaces configured.

Dynamic libraries:
0x00400000 - 0x0049c000 C:\Program Files\Internet Explorer\IEXPLORE.EXE
0x7c900000 - 0x7c9b2000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f6000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f02000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x77f10000 - 0x77f59000 C:\WINDOWS\system32\GDI32.dll
0x7e410000 - 0x7e4a1000 C:\WINDOWS\system32\USER32.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
0x78130000 - 0x78258000 C:\WINDOWS\system32\urlmon.dll
0x77120000 - 0x771ab000 C:\WINDOWS\system32\OLEAUT32.dll
0x3dfd0000 - 0x3e015000 C:\WINDOWS\system32\iertutil.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x5cb70000 - 0x5cb96000 C:\WINDOWS\system32\ShimEng.dll
0x71590000 - 0x71609000 C:\WINDOWS\AppPatch\AcLayers.DLL
0x769c0000 - 0x76a74000 C:\WINDOWS\system32\USERENV.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000 - 0x5d12a000 C:\WINDOWS\system32\comctl32.dll
0x3e1c0000 - 0x3e78d000 C:\WINDOWS\system32\IEFRAME.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\UxTheme.dll
0x74720000 - 0x7476c000 C:\WINDOWS\system32\MSCTF.dll
0x63000000 - 0x63037000 C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll
0x10000000 - 0x10006000 C:\Program Files\McAfee\SiteAdvisor\saHook.dll
0x00ce0000 - 0x00fa5000 C:\WINDOWS\system32\xpsp2res.dll
0x77b40000 - 0x77b62000 C:\WINDOWS\system32\apphelp.dll
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x5dff0000 - 0x5e01f000 C:\WINDOWS\system32\IEUI.dll
0x76380000 - 0x76385000 C:\WINDOWS\system32\MSIMG32.dll
0x4ec50000 - 0x4edfb000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll
0x47060000 - 0x47081000 C:\WINDOWS\system32\xmllite.dll
0x76fd0000 - 0x7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 - 0x77115000 C:\WINDOWS\system32\COMRes.dll
0x746f0000 - 0x7471a000 C:\WINDOWS\System32\msimtf.dll
0x77a20000 - 0x77a74000 C:\WINDOWS\System32\cscui.dll
0x76600000 - 0x7661d000 C:\WINDOWS\System32\CSCDLL.dll
0x77920000 - 0x77a13000 C:\WINDOWS\system32\SETUPAPI.dll
0x325c0000 - 0x325d2000 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
0x61930000 - 0x6197a000 C:\Program Files\Internet Explorer\ieproxy.dll
0x7d1e0000 - 0x7d49c000 C:\WINDOWS\system32\msi.dll
0x7e720000 - 0x7e7d0000 C:\WINDOWS\system32\SXS.DLL
0x3d930000 - 0x3da01000 C:\WINDOWS\system32\WININET.dll
0x01cc0000 - 0x01cc9000 C:\WINDOWS\system32\Normaliz.dll
0x75cf0000 - 0x75d81000 C:\WINDOWS\system32\MLANG.dll
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\ws2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x028b0000 - 0x028d7000 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
0x02910000 - 0x02952000 c:\PROGRA~1\mcafee\SITEAD~1\mcbrwctl.dll
0x708f0000 - 0x70903000 C:\WINDOWS\system32\asycfilt.dll
0x03230000 - 0x03240000 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
0x03250000 - 0x032eb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
0x60110000 - 0x60162000 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
0x763b0000 - 0x763f9000 C:\WINDOWS\system32\comdlg32.dll
0x7c3a0000 - 0x7c41b000 C:\WINDOWS\system32\MSVCP71.dll
0x7c340000 - 0x7c396000 C:\WINDOWS\system32\MSVCR71.dll
0x69400000 - 0x69410000 c:\PROGRA~1\mcafee\SITEAD~1\MCSACO~1.DLL
0x03420000 - 0x0343f000 C:\WINDOWS\system32\dla\tfswshx.dll
0x03440000 - 0x0344f000 C:\WINDOWS\system32\tfswapi.dll
0x03450000 - 0x0348b000 C:\WINDOWS\system32\dla\tfswcres.dll
0x6d600000 - 0x6d66a000 C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
0x5edd0000 - 0x5ede7000 C:\WINDOWS\system32\OLEPRO32.DLL
0x14490000 - 0x144a3000 C:\Program Files\McAfee\VirusScan\scriptsn.dll
0x75c50000 - 0x75ccd000 C:\WINDOWS\system32\Jscript.dll
0x73300000 - 0x73369000 C:\WINDOWS\system32\VBscript.dll
0x14180000 - 0x1418f000 C:\Program Files\McAfee\VirusScan\mytilus3.dll
0x14710000 - 0x1474e000 C:\Program Files\McAfee\VirusScan\mytilus3_worker.dll
0x76780000 - 0x76789000 C:\WINDOWS\system32\SHFOLDER.dll
0x14100000 - 0x14107000 C:\Program Files\McAfee\VirusScan\RES00\McShield.dll
0x036d0000 - 0x03790000 C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
0x77a80000 - 0x77b15000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
0x76d60000 - 0x76d79000 C:\WINDOWS\system32\IPHLPAPI.DLL
0x68000000 - 0x68036000 C:\WINDOWS\system32\rsaenh.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\system32\mswsock.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x76ee0000 - 0x76f1c000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 - 0x76ea2000 C:\WINDOWS\system32\rasman.dll
0x5b860000 - 0x5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
0x76eb0000 - 0x76edf000 C:\WINDOWS\system32\TAPI32.dll
0x76e80000 - 0x76e8e000 C:\WINDOWS\system32\rtutils.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x71d40000 - 0x71d5b000 C:\WINDOWS\system32\actxprxy.dll
0x77c70000 - 0x77c95000 C:\WINDOWS\system32\msv1_0.dll
0x76790000 - 0x7679c000 C:\WINDOWS\system32\cryptdll.dll
0x722b0000 - 0x722b5000 C:\WINDOWS\system32\sensapi.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x3da20000 - 0x3dd95000 C:\WINDOWS\system32\mshtml.dll
0x746c0000 - 0x746e9000 C:\WINDOWS\system32\msls31.dll
0x42f90000 - 0x42ff0000 C:\WINDOWS\system32\ieapfltr.dll
0x77690000 - 0x776b1000 C:\WINDOWS\system32\NTMARTA.DLL
0x71bf0000 - 0x71c03000 C:\WINDOWS\system32\SAMLIB.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x42070000 - 0x420a2000 C:\WINDOWS\system32\iepeers.dll
0x420c0000 - 0x420f9000 C:\WINDOWS\system32\Dxtrans.dll
0x76b20000 - 0x76b31000 C:\WINDOWS\system32\ATL.DLL
0x6d430000 - 0x6d43a000 C:\WINDOWS\System32\ddrawex.dll
0x73760000 - 0x737ab000 C:\WINDOWS\System32\DDRAW.dll
0x73bc0000 - 0x73bc6000 C:\WINDOWS\System32\DCIMAN32.dll
0x42010000 - 0x42067000 C:\WINDOWS\system32\Dxtmsft.dll
0x74980000 - 0x74aa3000 C:\WINDOWS\System32\msxml3.dll
0x1b000000 - 0x1b00c000 C:\WINDOWS\system32\ImgUtil.dll
0x42b90000 - 0x42c07000 C:\WINDOWS\system32\mshtmled.dll
0x74c80000 - 0x74cac000 C:\WINDOWS\system32\OLEACC.DLL
0x76080000 - 0x760e5000 C:\WINDOWS\system32\MSVCP60.dll
0x435a0000 - 0x43612000 C:\WINDOWS\system32\msfeeds.dll
0x41e30000 - 0x41e3e000 C:\WINDOWS\system32\pngfilt.dll
0x767f0000 - 0x76818000 C:\WINDOWS\system32\schannel.dll
0x68100000 - 0x68126000 C:\WINDOWS\system32\dssenh.dll
0x06570000 - 0x065cb000 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll
0x08f40000 - 0x093e3000 C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx
0x73b30000 - 0x73b45000 C:\WINDOWS\system32\mscms.dll
0x12950000 - 0x133b6000 C:\WINDOWS\system32\wmp.dll
0x75a70000 - 0x75a91000 C:\WINDOWS\system32\MSVFW32.dll
0x59a60000 - 0x59b01000 C:\WINDOWS\system32\dbghelp.dll
0x13740000 - 0x13f1b000 C:\WINDOWS\system32\wmploc.dll

VM Arguments:
jvm_args: -Xbootclasspath/a:C:\PROGRA~1\Java\JRE15~1.0_1\lib\deploy.jar;C:\PROGRA~1\Java\JRE15~1.0_1\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.5.0_10 -Djavaplugin.nodotversion=150_10 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\JRE15~1.0_1 -Djava.protocol.handler.pkgs=sun.plugin.net.protocol -Djavaplugin.vm.options=-Djava.class.path=C:\PROGRA~1\Java\JRE15~1.0_1\classes -Xbootclasspath/a:C:\PROGRA~1\Java\JRE15~1.0_1\lib\deploy.jar;C:\PROGRA~1\Java\JRE15~1.0_1\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.5.0_10 -Djavaplugin.nodotversion=150_10 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\JRE15~1.0_1 -Djava.protocol.handler.pkgs=sun.plugin.net.protocol vfprintf
java_command:
Launcher Type: generic

Environment Variables:
PATH=C:\PROGRA~1\Java\JRE15~1.0_1\bin;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\COMMON~1\SONICS~1\;.
USERNAME=Boss
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel



--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 3

CPU:total 2 (cores per cpu 1, threads per core 2) family 15 model 3 stepping 4, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ht

Memory: 4k page, physical 523260k(56876k free), swap 2586492k(2000356k free)

vm_info: Java HotSpot(TM) Client VM (1.5.0_10-b03) for windows-x86, built on Nov 9 2006 13:13:34 by "java_re" with MS VC++ 6.0

Hi again,

You have a pretty serious Rootkit called TDL3.

Your computer has multiple infections, including a rootkit. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

DO NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are rootkits from Wikipedia
Why are rootkits dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups
========

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

• Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  
• Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  
• Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  
• It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  
• Once inside the interface, do not fix anything. Click on the Report tab.
  
• Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  
• It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  
• When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Holy Crap!!!!!

I've turned on the lockdown firewall on mcafee which disconnects incoming or outgoing internet connections for now. Is that sufficient to block any rotokit activity like obtaining passwords, etc.? This is a LOT to consider. I've never backed up all my files and I certainly never reformatted or reinstalled an OS. I've read much from the links above. If I'm going to produce the log you mention, I'll need to connect to the internet on that machine. Is that safe?

Hi Sparty,

A Rootkit is a very serious infection. The easiest way to "start fresh" is to go through the reformat process. If you choose to go this route, do you have another machine handy so we can guide you through it? Do you have an external hard drive or CD's to back your files up to?

This machine is disinfectable and most of the tools we use have been updated to at least catch evidence of this Rootkit but, the infection is fairly new. From reviewing your logs, we still do have a bit of work to do to remove parts of the Rootkit but, ComboFix has already restored the infected system files and deleted a good portion of the Rootkit.

Do you already have RKUnhoker downloaded? If not, yes you will need to connect to the internet to download it. Alternatively, you could download it from another machine to a USB drive or CD's and copy it to the infected machine.

If you have any further questions or issues feel free to ask . I'm going to get the Fix cleared from the "behind the scenes" guys if you choose to continue with the disinfection

I do have another machine, the laptop I'm using now. I do not have an external hard drive. I have some cds and a flash drive. I've been at this for over 6 hrs now.....and this news is disheartening. I'm leaning toward trying for the fix, but I'd like to sleep on it. Frankly, I'm burnt out and displeased, to say the least.

Thanks for your help, Chris. Will you be available tomorrow to take this up again?