TechSpot

Is system clean after following 8 step removal process?

By ARShill
Sep 27, 2010
  1. My Task Mgr wouldn't appear and Zone Alarm would not run so I researched the posts and followed the 8 steps to removing viruses and malware. Can you check out my logs and see if the system is now clean? I am still having problems with programs locking and have had to do a hard shut down.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. I see Mbam removed quite a bit. Give me a change to check the other logs and I'll be back with instructions.

    Important!

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we have some work to do! You're not clean yet. I'd like you to run GMER again, but with 'Devices' unchecked. What you did was fine but there is an entry I need to see better.

    You're also going to have to run the following and I am requesting that you paste those logs in the reply please. It cuts my search time down considerably when I can search directly from my browser. You may use more than one post if needed.:
    ==================================
    NOTE: If you do not have a Recovery Console installed, when you start Combofix you will be asked and have the chance to install one. It is important that you allow it. Don't disconnect from the internet before you run Combofix or that will not be available to you.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ====================================

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  4. ARShill

    ARShill TS Rookie Topic Starter

    Finished additional steps

    Bobbye, thank you so much for your support! I ran the programs you listed. Below are some of the logs. I will paste the rest in another one.

    GMER (no devices)
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-28 20:18:25
    Windows 5.1.2600 Service Pack 3
    Running: lfnbbyji.exe; Driver: C:\DOCUME~1\Rob\LOCALS~1\Temp\pxrdipog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xA8B0ACF0]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA7725534]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA771F782]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA773E6DC]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA7725CC0]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA7725DF6]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA7720398]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA773FFE4]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA773F93C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xA8B0A782]
    SSDT spxz.sys ZwEnumerateKey [0xB9EC9E4C]
    SSDT spxz.sys ZwEnumerateValueKey [0xB9ECA1DA]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA774093C]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA7740B44]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA771FFAA]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xA8B0AC86]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xA8B0A6C2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xA8B0A726]
    SSDT spxz.sys ZwQueryKey [0xB9ECA2B2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xA8B0ADA6]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA77418D2]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA7741208]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA77250F4]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA77422A4]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA772075C]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xA7741E12]
    SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA773F0C4]
    SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA843F6D0]

    INT 0x62 ? 8A992C88
    INT 0x63 ? 8A992C88
    INT 0x63 ? 8A992C88
    INT 0x63 ? 8A992C88
    INT 0x84 ? 8A829C88
    INT 0x94 ? 8A829C88
    INT 0xA4 ? 8A829C88
    INT 0xB4 ? 8A829C88

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA8B17BAE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xA8B179D2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xA8B17B0C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    ? spxz.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload B947F8AC 5 Bytes JMP 8A8291D8
    init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xA9187F80]
    ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1392] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9EB03E6] spxz.sys
    IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9EB090E] spxz.sys
    IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9EB0F9C] spxz.sys
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB090E] spxz.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB01D4] spxz.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB0116] spxz.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB1178] spxz.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB0F9C] spxz.sys
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
    IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

    ---- EOF - GMER 1.0.15 ----


    ComboFix report:
    ComboFix 10-09-27.05 - Rob 09/28/2010 20:56:34.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1560 [GMT -4:00]
    Running from: c:\documents and settings\Rob\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\094ceba
    c:\documents and settings\All Users\Application Data\094ceba\733.mof
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\Adobe Reader Speed Launch.lnk
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\Digital Line Detect.lnk
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\HP Digital Imaging Monitor.lnk
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\HP Image Zone Fast Start.lnk
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\NkbMonitor.exe.lnk
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\qlock.lnk
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\WDDMStatus.lnk
    c:\documents and settings\All Users\Application Data\094ceba\BackUp\WDSmartWare.lnk
    c:\documents and settings\All Users\Application Data\094ceba\mozcrt19.dll
    c:\documents and settings\All Users\Application Data\094ceba\MSS.ico
    c:\documents and settings\All Users\Application Data\094ceba\MSSSys\vd952342.bd
    c:\documents and settings\All Users\Application Data\094ceba\sqlite3.dll
    c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
    c:\documents and settings\Rob\Recent\ANTIGEN.drv
    c:\documents and settings\Rob\Recent\ANTIGEN.exe
    c:\documents and settings\Rob\Recent\cb.exe
    c:\documents and settings\Rob\Recent\CLSV.sys
    c:\documents and settings\Rob\Recent\DBOLE.tmp
    c:\documents and settings\Rob\Recent\eb.drv
    c:\documents and settings\Rob\Recent\eb.exe
    c:\documents and settings\Rob\Recent\energy.exe
    c:\documents and settings\Rob\Recent\energy.sys
    c:\documents and settings\Rob\Recent\exec.sys
    c:\documents and settings\Rob\Recent\exec.tmp
    c:\documents and settings\Rob\Recent\fan.exe
    c:\documents and settings\Rob\Recent\FW.tmp
    c:\documents and settings\Rob\Recent\grid.drv
    c:\documents and settings\Rob\Recent\pal.tmp
    c:\documents and settings\Rob\Recent\PE.drv
    c:\documents and settings\Rob\Recent\PE.exe
    c:\documents and settings\Rob\Recent\ppal.exe
    c:\documents and settings\Rob\Recent\SM.drv
    c:\documents and settings\Rob\Recent\tjd.exe
    c:\documents and settings\Rob\Recent\tjd.sys
    c:\documents and settings\Rob\Recent\tjd.tmp
    c:\windows\system32\Data

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MYWEBSEARCHSERVICE


    ((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
    .

    2010-09-29 00:44 . 2010-09-29 00:47 -------- d-----w- C:\32788R22FWJFW
    2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
    2010-09-26 21:23 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-26 21:23 . 2010-09-27 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-26 21:23 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-25 23:45 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2010-09-25 23:45 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
    2010-09-25 23:45 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\windows\system32\ZoneLabs
    2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\program files\Zone Labs
    2010-09-25 23:44 . 2010-09-28 21:29 -------- d-----w- c:\windows\Internet Logs
    2010-09-25 21:07 . 2010-09-25 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
    2010-09-25 20:49 . 2010-09-25 20:49 -------- d-----w- c:\program files\Conduit
    2010-09-13 14:19 . 2010-09-13 14:19 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSFVKFBMS
    2010-09-02 15:26 . 2010-09-02 15:27 -------- d-----w- c:\program files\iTunes
    2010-09-02 15:22 . 2010-09-03 01:36 -------- d-----w- c:\program files\QuickTime

    I
     
  5. ARShill

    ARShill TS Rookie Topic Starter

    Remaining logs

    Hi Bobbye, below should be the remainder of the logs:


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-25 23:45 . 2006-05-16 20:46 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-09-25 20:33 . 2008-02-04 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-09-25 20:31 . 2008-10-04 16:49 -------- d-----w- c:\program files\LeapFrog
    2010-09-21 20:09 . 2006-06-13 00:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    2010-09-09 13:37 . 2008-06-14 12:54 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-07 15:12 . 2010-06-29 16:56 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-12-03 18:26 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-12-03 18:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-12-03 18:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-12-03 18:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-12-03 18:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-12-03 18:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-12-03 18:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-12-03 18:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-04 17:18 . 2008-02-26 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
    2010-09-03 16:50 . 2009-10-21 21:31 -------- d-----w- c:\documents and settings\Boys\Application Data\Apple Computer
    2010-09-02 15:26 . 2006-08-12 17:40 -------- d-----w- c:\program files\iPod
    2010-09-02 15:26 . 2007-08-30 00:28 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-02 15:17 . 2010-09-02 15:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
    2010-08-30 18:34 . 2010-09-08 22:28 1496064 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2010-08-30 18:33 . 2010-09-08 22:28 43008 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2010-08-30 18:33 . 2010-09-08 22:28 338944 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2010-08-30 18:33 . 2010-09-08 22:28 346112 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2010-08-21 17:39 . 2006-12-26 23:39 -------- d-----w- c:\program files\The Learning Company
    2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
    2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-04 20:17 . 2010-08-04 20:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2010-08-01 15:29 . 2010-08-01 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-08-01 15:26 . 2006-05-10 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-08-01 11:27 . 2010-08-01 11:27 -------- d-----w- c:\program files\NOS
    2010-07-26 20:01 . 2010-08-01 11:27 37184 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    2010-07-26 20:01 . 2010-08-01 11:27 32032 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
    2010-07-22 21:00 . 2010-07-22 21:00 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-22 19:33 . 2010-07-22 19:33 71706968 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\DidjPlugin.exe
    2010-07-22 19:32 . 2010-07-22 19:32 31287640 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
    2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-16 22:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
    2010-07-02 14:25 . 2010-09-01 02:38 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
    2010-07-02 14:25 . 2010-09-01 02:38 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
    2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
    2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2007-08-28 22:40 . 2006-05-20 00:10 88 --sh--r- c:\windows\system32\67FC3BDC4D.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
    "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]

    c:\documents and settings\Rob\Start Menu\Programs\Startup\
    qlock.lnk - c:\program files\Qlock\qlock.exe [2009-2-14 4142080]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-6-12 118784]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2008 2:27 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2008 2:27 PM 17744]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 12:51 PM 14336]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/22/2010 5:00 PM 697328]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    IE: &Search
    IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    Trusted Zone: sap.com\connectphl02
    Trusted Zone: sap.com\connectphl05
    Trusted Zone: musicmatch.com\online
    FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/
    FF - component: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
    HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
    HKLM-Run-DSS - c:\windows\BBSTORE\DSS\DSSAGENT.EXE
    AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-28 21:03
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\documents and settings\Rob\Application Data\Western Digital\WD SmartWare\instances\DCFA0F27-0104-45B1-98E1-96E46571E344\dcfa0f27-0104-45b1-98e1-96e46571e344-inq.db3-journal

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2268)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\UPHClean\uphclean.exe
    c:\windows\system32\Rundll32.exe
    c:\docume~1\Rob\LOCALS~1\Temp\clclean.0001
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    c:\windows\System32\NOTEPAD.EXE
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-28 21:13:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-29 01:13

    Pre-Run: 53,154,058,240 bytes free
    Post-Run: 52,985,810,944 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    Current=3 Default=3 Failed=5 LastKnownGood=6 Sets=1,2,3,5,6
    - - End Of File - - FAE6F0DBA2C433562CD20C002B20E235


    Eset log
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=7213af32b47fbb46b96160e07d515eff
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-09-29 02:19:48
    # local_time=2010-09-28 10:19:48 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=768 16777215 100 0 20234382 20234382 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 0 1369985 0 0
    # scanned=102581
    # found=5
    # cleaned=0
    # scan_time=3543
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\094ceba\733.mof.vir Win32/RogueAV.A trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1385\A0202375.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1385\A0202378.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1385\A0202382.DLL a variant of Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1387\A0208142.mof Win32/RogueAV.A trojan 00000000000000000000000000000000
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you please advise on use of these sites?
    Trusted Zone: sap.com\connectphl02
    Trusted Zone: sap.com\connectphl05

    This site and the 2 above should be removed from the Trusted Zone where there is lower security that the Internet Zone.
    Trusted Zone: musicmatch.com\online
     
  7. ARShill

    ARShill TS Rookie Topic Starter

    SAP.com is my work website so these are trusted. I will remove music match.com\online. Anything else? Looked like the ESET found several infected files.
     
  8. ARShill

    ARShill TS Rookie Topic Starter

    I looked for musicmatch.com\online but it does not appear in the Trusted Zone or any security list. The only ones listed are for SAP. Any suggestions?

    Thanks again for all the support!
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll have you move Musicmatch in HJT. Okay for the sap.com entries if wanted.

    There are no new infections in the Eset log. The Qoobox entries are from the Combofix quarantine- that's where those files go and System Volume is for Restore Points. None of these are active in the system and all will be removed at the end. Don't do any system Restores while we're cleaning because if you did happen to pick a date that was infected, then you could reinfect the system. But we don't move those yet because sometimes, SR can be the only way back into a system!

    Question: Do you know what this file is?
    2006-06-13 00:51 c:\documents and settings\All Users\Application Data\PKP_DLec.DAT

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    DDS::
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u 
    IE: &Search - ?p=ZSfox000
    mRun: [DSS] c:\windows\bbstore\dss\DSSAGENT.EXE 
    
    Folder::
    c:\documents and settings\All Users\Application Data\McAfee
    
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    Firefox::
    Firefox-: - Profile- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    FYI: DSSAgent by Brøderbund - spyware. Sends encrypted emails about the system back to the originators of the program. Also a resource hog.

    Handle these updates please:
    Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Please run this when through with above:

    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  10. ARShill

    ARShill TS Rookie Topic Starter

    Add'l logs

    Hi Bobbye,
    Okay, I followed the instructions you provided. Here is are the logs.

    Also, I do not know what '2006-06-13 00:51 c:\documents and settings\All Users\Application Data\PKP_DLec.DAT' is.

    ComboFix log:
    ComboFix 10-09-30.01 - Rob 09/30/2010 18:55:20.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1277 [GMT -4:00]
    Running from: c:\documents and settings\Rob\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Rob\My Documents\Downloads\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Rob\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
    c:\documents and settings\All Users\Application Data\McAfee
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\McCHSvc\McCHSvc000.log
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\McUICnt\McUICnt\McUICnt000.log
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\McCHSvc\McCHSvc000.log
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\McUICnt\McUICnt000.log
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\SSScheduler\SSScheduler000.log
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\SecurityScanner\McUICnt\McUICnt000.log
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Accounts.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Configuration.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Filters.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Friends.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\Complaints.log
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\System.log
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\MskDetct.dat
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Templates\Templates.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Filters.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Friends.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\2\Filters.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\2\Friends.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\3\Filters.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\3\Friends.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\4\Filters.xml
    c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\4\Friends.xml
    c:\documents and settings\Rob\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
    c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
    .

    2010-09-29 01:17 . 2010-09-29 01:17 -------- d-----w- c:\program files\ESET
    2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
    2010-09-26 21:23 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-26 21:23 . 2010-09-27 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-26 21:23 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-25 23:45 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2010-09-25 23:45 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
    2010-09-25 23:45 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\windows\system32\ZoneLabs
    2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\program files\Zone Labs
    2010-09-25 23:44 . 2010-09-30 22:22 -------- d-----w- c:\windows\Internet Logs
    2010-09-25 21:07 . 2010-09-25 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
    2010-09-25 20:49 . 2010-09-25 20:49 -------- d-----w- c:\program files\Conduit
    2010-09-13 14:19 . 2010-09-13 14:19 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSFVKFBMS
    2010-09-08 22:28 . 2010-08-30 18:34 1496064 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2010-09-08 22:28 . 2010-08-30 18:33 43008 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2010-09-08 22:28 . 2010-08-30 18:33 338944 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2010-09-08 22:28 . 2010-08-30 18:33 346112 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2010-09-02 15:26 . 2010-09-02 15:27 -------- d-----w- c:\program files\iTunes
    2010-09-02 15:22 . 2010-09-03 01:36 -------- d-----w- c:\program files\QuickTime
    2010-09-02 15:17 . 2010-09-02 15:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
    2010-09-01 02:38 . 2010-07-09 14:26 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
    2010-09-01 02:38 . 2010-07-02 14:25 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
    2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
    2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-30 12:13 . 2008-06-14 12:54 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-29 20:56 . 2006-06-13 00:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    2010-09-25 23:45 . 2006-05-16 20:46 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-09-25 20:33 . 2008-02-04 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-09-25 20:31 . 2008-10-04 16:49 -------- d-----w- c:\program files\LeapFrog
    2010-09-07 15:12 . 2010-06-29 16:56 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-12-03 18:26 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-12-03 18:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-12-03 18:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-12-03 18:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-12-03 18:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-12-03 18:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-12-03 18:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-12-03 18:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-04 17:18 . 2008-02-26 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
    2010-09-03 16:50 . 2009-10-21 21:31 -------- d-----w- c:\documents and settings\Boys\Application Data\Apple Computer
    2010-09-02 15:26 . 2006-08-12 17:40 -------- d-----w- c:\program files\iPod
    2010-09-02 15:26 . 2007-08-30 00:28 -------- d-----w- c:\program files\Common Files\Apple
    2010-08-21 17:39 . 2006-12-26 23:39 -------- d-----w- c:\program files\The Learning Company
    2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-04 20:17 . 2010-08-04 20:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2010-07-26 20:01 . 2010-08-01 11:27 37184 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    2010-07-26 20:01 . 2010-08-01 11:27 32032 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
    2010-07-22 21:00 . 2010-07-22 21:00 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-22 19:33 . 2010-07-22 19:33 71706968 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\DidjPlugin.exe
    2010-07-22 19:32 . 2010-07-22 19:32 31287640 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
    2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-16 22:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
    2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2007-08-28 22:40 . 2006-05-20 00:10 88 --sh--r- c:\windows\system32\67FC3BDC4D.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
    "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]

    c:\documents and settings\Rob\Start Menu\Programs\Startup\
    qlock.lnk - c:\program files\Qlock\qlock.exe [2009-2-14 4142080]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-6-12 118784]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2008 2:27 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2008 2:27 PM 17744]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 12:51 PM 14336]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/22/2010 5:00 PM 697328]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    Trusted Zone: sap.com\connectphl02
    Trusted Zone: sap.com\connectphl05
    Trusted Zone: musicmatch.com\online
    FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/
    FF - component: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-30 18:59
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-09-30 19:01:58
    ComboFix-quarantined-files.txt 2010-09-30 23:01
    ComboFix2.txt 2010-09-29 01:13

    Pre-Run: 52,377,718,784 bytes free
    Post-Run: 52,508,852,224 bytes free

    Current=3 Default=3 Failed=5 LastKnownGood=6 Sets=1,2,3,5,6
    - - End Of File - - 4E91BE7E38B43716DC621782C39F4AE8
     
  11. ARShill

    ARShill TS Rookie Topic Starter

    HJT Log

    HJT log:

    HijackThis Log:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:25:19 PM, on 9/30/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17080)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\DOCUME~1\Rob\LOCALS~1\Temp\clclean.0001
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Qlock\qlock.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file)
    O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://connectphl02.sap.com
    O15 - Trusted Zone: http://connectphl05.sap.com
    O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl02.sap.com/vdesk/cachecleaner.cab#version=6030,2009,0622,1839
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl05.sap.com/vdesk/terminal/InstallerControl.cab#version=6030,2009,0622,1853
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl05.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0622,1842
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170514389796
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://maunalani.com/AxisCamControl.ocx
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl05.sap.com/policy...in32/f5syschk.cab#Version=6030,2009,0622,1850
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

    --
    End of file - 13555 bytes


    I can't thank you enough!!! :wave:
     
  12. ARShill

    ARShill TS Rookie Topic Starter

    Hijack log in separate post.
     
  13. ARShill

    ARShill TS Rookie Topic Starter

    Hi, two quick updates
    - When I log in now I get the following error message:
    MSKDetector
    Unable to write to c:\Documents and Settings\All Users\Application Data\McAfee\SpanKiller\MskDetct.dat.
    McAfee was preloaded on the computer when we got it but I never used it so I removed it. Not sure why this file was not removed during de-install.

    - The computer has also been freezing upon start up the last two days :-(. I noticed that the WDSmartWare program was taking up a lot of CPU so I de-installed that software. I can re-install once we get everything else fixed.

    Hopefully I didn't make matters worse. Thanks again for all of your support!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome for the help. I had the following set up last night, but didn't get it sent so I added the two 'update problems'. If you are slow to load, it's because you have so many processes set to start on boot. Each one of them has to load, then each runs in the background, eventually slowing you down as you gather more temporary internet files, then each needs to stop when you shut down.

    Review all those 04 processes in the HJT log> almost none need to start. Review all those preloaded Dell processes- chances are you don't use them, but they're running. Take the HP printer and all it's related processes off of Startup. You can use the printer when needed> click on File> Print, instead of it running all the time.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\67FC3BDC4D.sys
    c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    c:\windows\system32\zllictbl.dat
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\DNA\\btdna.exe"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    "WDSmartWare.exe"=- 
    "WDDMStatus.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    C:\Program Files\UPHClean\uphclean.exe
    C:\DOCUME~1\Rob\LOCALS~1\Temp\clclean.0001
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file)
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe


    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Click on Start> Run> type in services.msc> find each of the following and double click to open> Change Startup type to Manual>
    WDDMService
    WDSmartWareBackgroundService

    Close Services.
    Reboot the computer.
     
  15. ARShill

    ARShill TS Rookie Topic Starter

    More logs

    Okay. Thanks for the suggestion to clean up the startup programs. I deleted the ones I was comfortable with so we shall see how it goes.

    Ran the custom script. See log below.

    Ran HijackThis. Only found two files to fix:
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file)

    Rebooted in safe mode to make additional changes suggested but could not find the services listed. Could this be because I de-installed the software? If so, should I make these changes once I re-install it?

    ComboFix log:
    ComboFix 10-10-01.06 - Rob 10/02/2010 11:08:09.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1446 [GMT -4:00]
    Running from: c:\documents and settings\Rob\Desktop\virus removal files\ComboFix.exe
    Command switches used :: c:\documents and settings\Rob\Desktop\virus removal files\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\documents and settings\All Users\Application Data\PKP_DLec.DAT"
    "c:\windows\system32\67FC3BDC4D.sys"
    "c:\windows\system32\zllictbl.dat"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Rob\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
    c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    c:\documents and settings\Rob\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
    c:\windows\system32\67FC3BDC4D.sys
    c:\windows\system32\zllictbl.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
    .

    2010-09-30 23:24 . 2010-09-30 23:24 388096 ----a-r- c:\documents and settings\Rob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-30 23:24 . 2010-09-30 23:24 -------- d-----w- c:\program files\Trend Micro
    2010-09-30 23:22 . 2010-09-30 23:22 61440 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1341d2c2-n\decora-sse.dll
    2010-09-30 23:22 . 2010-09-30 23:22 503808 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a5917ae-n\msvcp71.dll
    2010-09-30 23:22 . 2010-09-30 23:22 499712 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a5917ae-n\jmc.dll
    2010-09-30 23:22 . 2010-09-30 23:22 348160 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a5917ae-n\msvcr71.dll
    2010-09-30 23:22 . 2010-09-30 23:22 12800 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1341d2c2-n\decora-d3d.dll
    2010-09-30 23:22 . 2010-09-30 23:22 -------- d-----w- c:\program files\Common Files\Java
    2010-09-30 23:22 . 2010-09-30 23:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-30 23:16 . 2010-09-30 23:17 -------- d-----w- c:\program files\Common Files\Adobe
    2010-09-29 01:17 . 2010-09-29 01:17 -------- d-----w- c:\program files\ESET
    2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
    2010-09-26 21:23 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-26 21:23 . 2010-09-27 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-26 21:23 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-25 23:45 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2010-09-25 23:45 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
    2010-09-25 23:45 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\windows\system32\ZoneLabs
    2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\program files\Zone Labs
    2010-09-25 23:44 . 2010-10-02 15:02 -------- d-----w- c:\windows\Internet Logs
    2010-09-25 21:07 . 2010-09-25 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
    2010-09-25 20:49 . 2010-09-25 20:49 -------- d-----w- c:\program files\Conduit
    2010-09-13 14:19 . 2010-09-13 14:19 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSFVKFBMS
    2010-09-08 22:28 . 2010-08-30 18:34 1496064 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2010-09-08 22:28 . 2010-08-30 18:33 43008 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2010-09-08 22:28 . 2010-08-30 18:33 338944 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2010-09-08 22:28 . 2010-08-30 18:33 346112 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2010-09-02 15:26 . 2010-09-02 15:27 -------- d-----w- c:\program files\iTunes
    2010-09-02 15:22 . 2010-09-03 01:36 -------- d-----w- c:\program files\QuickTime
    2010-09-02 15:17 . 2010-09-02 15:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-02 01:17 . 2010-10-02 11:52 137216 ----a-w- c:\windows\Internet Logs\xDB7.tmp
    2010-09-30 23:21 . 2006-05-10 15:00 -------- d-----w- c:\program files\Java
    2010-09-30 12:13 . 2008-06-14 12:54 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-25 20:33 . 2008-02-04 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-09-25 20:31 . 2008-10-04 16:49 -------- d-----w- c:\program files\LeapFrog
    2010-09-07 15:12 . 2010-06-29 16:56 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-12-03 18:26 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-12-03 18:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-12-03 18:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-12-03 18:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-12-03 18:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-12-03 18:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-12-03 18:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-12-03 18:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-04 17:18 . 2008-02-26 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
    2010-09-03 16:50 . 2009-10-21 21:31 -------- d-----w- c:\documents and settings\Boys\Application Data\Apple Computer
    2010-09-02 15:26 . 2006-08-12 17:40 -------- d-----w- c:\program files\iPod
    2010-09-02 15:26 . 2007-08-30 00:28 -------- d-----w- c:\program files\Common Files\Apple
    2010-08-21 17:39 . 2006-12-26 23:39 -------- d-----w- c:\program files\The Learning Company
    2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
    2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-04 20:17 . 2010-08-04 20:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2010-07-22 21:00 . 2010-07-22 21:00 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-22 19:33 . 2010-07-22 19:33 71706968 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\DidjPlugin.exe
    2010-07-22 19:32 . 2010-07-22 19:32 31287640 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
    2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-16 22:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
    2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
    2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-09-30_22.59.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-02 14:51 . 2010-10-02 14:51 16384 c:\windows\temp\Perflib_Perfdata_5a4.dat
    + 2009-12-22 00:09 . 2009-12-22 00:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
    + 2009-12-22 05:57 . 2009-12-22 05:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
    + 2009-12-22 00:02 . 2009-12-22 00:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
    + 2009-12-22 03:21 . 2009-12-22 03:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
    + 2009-12-11 19:57 . 2009-12-11 19:57 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
    + 2009-12-22 03:37 . 2009-12-22 03:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
    + 2009-12-21 22:39 . 2009-12-21 22:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
    + 2009-12-21 22:27 . 2009-12-21 22:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
    + 2009-12-21 22:27 . 2009-12-21 22:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
    + 2010-09-30 23:22 . 2010-09-30 23:21 153376 c:\windows\system32\javaws.exe
    + 2010-09-30 23:22 . 2010-09-30 23:21 145184 c:\windows\system32\javaw.exe
    + 2010-09-30 23:22 . 2010-09-30 23:21 145184 c:\windows\system32\java.exe
    + 2010-09-30 23:22 . 2010-09-30 23:22 180224 c:\windows\Installer\7ffa8.msi
    + 2010-09-30 23:21 . 2010-09-30 23:21 676352 c:\windows\Installer\7ffa2.msi
    + 2009-12-11 19:57 . 2009-12-11 19:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
    + 2009-12-21 22:35 . 2009-12-21 22:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
    + 2009-12-22 00:05 . 2009-12-22 00:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
    + 2009-11-09 23:18 . 2009-11-09 23:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
    + 2009-12-22 00:02 . 2009-12-22 00:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
    + 2009-12-11 19:57 . 2009-12-11 19:57 948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
    + 2009-12-21 22:43 . 2009-12-21 22:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
    + 2009-12-22 05:57 . 2009-12-22 05:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
    + 2009-12-21 22:15 . 2009-12-21 22:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
    + 2009-12-21 23:32 . 2009-12-21 23:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
    + 2009-12-11 19:57 . 2009-12-11 19:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
    + 2009-12-21 23:15 . 2009-12-21 23:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
    + 2010-09-30 23:24 . 2010-09-30 23:24 1094656 c:\windows\Installer\7ffac.msi
    + 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\7ff9c.msp
    + 2010-09-30 23:17 . 2010-09-30 23:17 3940352 c:\windows\Installer\7ff9a.msi
    + 2009-12-21 22:29 . 2009-12-21 22:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
    + 2009-12-21 23:00 . 2009-12-21 23:00 1298996 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JSByteCodeWin.bin
    + 2009-12-22 03:31 . 2009-12-22 03:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
    + 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\7ff9d.msp
    + 2010-08-13 18:09 . 2010-08-13 18:09 12263936 c:\windows\Installer\7ff9b.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
    "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
     
  16. ARShill

    ARShill TS Rookie Topic Starter

    rest of log

    c:\documents and settings\Rob\Start Menu\Programs\Startup\
    qlock.lnk - c:\program files\Qlock\qlock.exe [2009-2-14 4142080]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-6-12 118784]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2008 2:27 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2008 2:27 PM 17744]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/22/2010 5:00 PM 697328]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    Trusted Zone: sap.com\connectphl02
    Trusted Zone: sap.com\connectphl05
    Trusted Zone: musicmatch.com\online
    FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/
    FF - component: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-02 11:13
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-10-02 11:15:10
    ComboFix-quarantined-files.txt 2010-10-02 15:15
    ComboFix2.txt 2010-09-30 23:01
    ComboFix3.txt 2010-09-29 01:13

    Pre-Run: 51,534,905,344 bytes free
    Post-Run: 51,648,299,008 bytes free

    Current=3 Default=3 Failed=5 LastKnownGood=6 Sets=1,2,3,5,6
    - - End Of File - - AF8EDBD6963863618CDD5B51CA11C940



    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    By the way, for as long as I can remember we have always received this window upon start up. We just close it b/c Dell told us it wasn't an issue.
    desktop.ini - Notepad
    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
     
  17. ARShill

    ARShill TS Rookie Topic Starter

    The good news is the computer is running significantly faster!
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About HJT entries: we add "if present" when we say to check for removal. So if these entries aren't there, they will have been removed. No problem.
    About the Services: Yes, the uninstall could have removed them, since you noticed it was a high resource user and were removing it for now. When you reinstall it, you will have the entries again. As far as I see, this does not need to start automatically and can 'user invoked'. This means that the Services for the 2 WDSmartWare can both be set to Manual when you put it back. Check HERE if you need more info.

    Use the free FoxiIt PDF Reader for additional speed instead of the Adobe Reader and cut out the bulk! Once you have FoxIt installed, uninstall the Adobe Reader in add/Remove Programs: Here is the Free FoxIt Reader.
    If you want additional PDF features, they also have paid versions. But this does what you've been using Adobe Reader for.

    Your printer is creating logs. That's okay- just clean them out once in a while. They look like this with changing number: c:\windows\Internet Logs\xDB7.tmp
    ============================
    About the desktop.ini> From Microsoft:
    See next post to finish up.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system is clean! Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Tips for added security and safer browsing:
    (Note: some of the following may not work on Windows 7 or a 64 bit system)
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Let me know if you have any more questions
     
  20. ARShill

    ARShill TS Rookie Topic Starter

    Hi Bobbye, Thanks for the update and it is great news that the system is clean. You are my HERO!!!

    While I am going through all of the info you provided I wanted to share that we seem to be having occassional issues with Explorer not shutting down which then stops Windows from shutting down. Even when I choose to end Explorer, Windows shut down just locks up. It does not happen all the time but I can't figure out why. I end up having to do a hard shut down. Any thoughts?

    I can't thank you enough for all your help.
    Amy
     
  21. ARShill

    ARShill TS Rookie Topic Starter

    Another quick question. If I download Spywareblaster should I remove Spybot-SD?
    Thanks
     
  22. ARShill

    ARShill TS Rookie Topic Starter

    Okay, this is the last post for tonight b/c I have had enough.

    I have tried to download the google toolbar for Explorer but it can't find the program to open the file and I don't know what program to choose. I checked out help and made sure the settings were enabled but I still can't download. We do have it installed on Firefox. Any thoughts on what I need to do to install on Explorer?
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Spywareblaster and Spybot Search & Destroy can both be on system. I have both. I recommend you don't use the Tea Timer feature in Spybot. As for the Google Toolbar, usually there is no problem- are you choosing the toolbar for IE?

    The Google Toolbar is optional Amy. Try rebooting the computer first. Here is the link for the one you need:
    Google Toolbar for Internet Explorer 6.5.518.1650
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...