Solved Is system clean after following 8 step removal process?

Status
Not open for further replies.

ARShill

Posts: 15   +0
My Task Mgr wouldn't appear and Zone Alarm would not run so I researched the posts and followed the 8 steps to removing viruses and malware. Can you check out my logs and see if the system is now clean? I am still having problems with programs locking and have had to do a hard shut down.
 

Attachments

  • mbam-log-2010-09-26 (17-31-48).txt
    129.4 KB · Views: 1
  • gmer log.log
    23.5 KB · Views: 1
  • DDS.txt
    21 KB · Views: 1
  • dds Attach.txt
    12 KB · Views: 1
Welcome to TechSpot. I see Mbam removed quite a bit. Give me a change to check the other logs and I'll be back with instructions.

Important!

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Okay, we have some work to do! You're not clean yet. I'd like you to run GMER again, but with 'Devices' unchecked. What you did was fine but there is an entry I need to see better.

You're also going to have to run the following and I am requesting that you paste those logs in the reply please. It cuts my search time down considerably when I can search directly from my browser. You may use more than one post if needed.:
==================================
NOTE: If you do not have a Recovery Console installed, when you start Combofix you will be asked and have the chance to install one. It is important that you allow it. Don't disconnect from the internet before you run Combofix or that will not be available to you.

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
====================================

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
Finished additional steps

Bobbye, thank you so much for your support! I ran the programs you listed. Below are some of the logs. I will paste the rest in another one.

GMER (no devices)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-28 20:18:25
Windows 5.1.2600 Service Pack 3
Running: lfnbbyji.exe; Driver: C:\DOCUME~1\Rob\LOCALS~1\Temp\pxrdipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xA8B0ACF0]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA7725534]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA771F782]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA773E6DC]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA7725CC0]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA7725DF6]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA7720398]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA773FFE4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA773F93C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xA8B0A782]
SSDT spxz.sys ZwEnumerateKey [0xB9EC9E4C]
SSDT spxz.sys ZwEnumerateValueKey [0xB9ECA1DA]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA774093C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA7740B44]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA771FFAA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xA8B0AC86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xA8B0A6C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xA8B0A726]
SSDT spxz.sys ZwQueryKey [0xB9ECA2B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xA8B0ADA6]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA77418D2]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA7741208]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA77250F4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA77422A4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA772075C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xA7741E12]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA773F0C4]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA843F6D0]

INT 0x62 ? 8A992C88
INT 0x63 ? 8A992C88
INT 0x63 ? 8A992C88
INT 0x63 ? 8A992C88
INT 0x84 ? 8A829C88
INT 0x94 ? 8A829C88
INT 0xA4 ? 8A829C88
INT 0xB4 ? 8A829C88

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA8B17BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xA8B179D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xA8B17B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

? spxz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B947F8AC 5 Bytes JMP 8A8291D8
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xA9187F80]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1392] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9EB03E6] spxz.sys
IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9EB090E] spxz.sys
IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9EB0F9C] spxz.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB090E] spxz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB01D4] spxz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB0116] spxz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB1178] spxz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB0F9C] spxz.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A772A672] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A7728C2A] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A772ACBA] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A772A4C8] \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----


ComboFix report:
ComboFix 10-09-27.05 - Rob 09/28/2010 20:56:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1560 [GMT -4:00]
Running from: c:\documents and settings\Rob\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\094ceba
c:\documents and settings\All Users\Application Data\094ceba\733.mof
c:\documents and settings\All Users\Application Data\094ceba\BackUp\Adobe Reader Speed Launch.lnk
c:\documents and settings\All Users\Application Data\094ceba\BackUp\Digital Line Detect.lnk
c:\documents and settings\All Users\Application Data\094ceba\BackUp\HP Digital Imaging Monitor.lnk
c:\documents and settings\All Users\Application Data\094ceba\BackUp\HP Image Zone Fast Start.lnk
c:\documents and settings\All Users\Application Data\094ceba\BackUp\NkbMonitor.exe.lnk
c:\documents and settings\All Users\Application Data\094ceba\BackUp\qlock.lnk
c:\documents and settings\All Users\Application Data\094ceba\BackUp\WDDMStatus.lnk
c:\documents and settings\All Users\Application Data\094ceba\BackUp\WDSmartWare.lnk
c:\documents and settings\All Users\Application Data\094ceba\mozcrt19.dll
c:\documents and settings\All Users\Application Data\094ceba\MSS.ico
c:\documents and settings\All Users\Application Data\094ceba\MSSSys\vd952342.bd
c:\documents and settings\All Users\Application Data\094ceba\sqlite3.dll
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Rob\Recent\ANTIGEN.drv
c:\documents and settings\Rob\Recent\ANTIGEN.exe
c:\documents and settings\Rob\Recent\cb.exe
c:\documents and settings\Rob\Recent\CLSV.sys
c:\documents and settings\Rob\Recent\DBOLE.tmp
c:\documents and settings\Rob\Recent\eb.drv
c:\documents and settings\Rob\Recent\eb.exe
c:\documents and settings\Rob\Recent\energy.exe
c:\documents and settings\Rob\Recent\energy.sys
c:\documents and settings\Rob\Recent\exec.sys
c:\documents and settings\Rob\Recent\exec.tmp
c:\documents and settings\Rob\Recent\fan.exe
c:\documents and settings\Rob\Recent\FW.tmp
c:\documents and settings\Rob\Recent\grid.drv
c:\documents and settings\Rob\Recent\pal.tmp
c:\documents and settings\Rob\Recent\PE.drv
c:\documents and settings\Rob\Recent\PE.exe
c:\documents and settings\Rob\Recent\ppal.exe
c:\documents and settings\Rob\Recent\SM.drv
c:\documents and settings\Rob\Recent\tjd.exe
c:\documents and settings\Rob\Recent\tjd.sys
c:\documents and settings\Rob\Recent\tjd.tmp
c:\windows\system32\Data

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 00:44 . 2010-09-29 00:47 -------- d-----w- C:\32788R22FWJFW
2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
2010-09-26 21:23 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 21:23 . 2010-09-27 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-26 21:23 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 23:45 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-09-25 23:45 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-09-25 23:45 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\windows\system32\ZoneLabs
2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\program files\Zone Labs
2010-09-25 23:44 . 2010-09-28 21:29 -------- d-----w- c:\windows\Internet Logs
2010-09-25 21:07 . 2010-09-25 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-09-25 20:49 . 2010-09-25 20:49 -------- d-----w- c:\program files\Conduit
2010-09-13 14:19 . 2010-09-13 14:19 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSFVKFBMS
2010-09-02 15:26 . 2010-09-02 15:27 -------- d-----w- c:\program files\iTunes
2010-09-02 15:22 . 2010-09-03 01:36 -------- d-----w- c:\program files\QuickTime

I
 
Remaining logs

Hi Bobbye, below should be the remainder of the logs:


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 23:45 . 2006-05-16 20:46 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-09-25 20:33 . 2008-02-04 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-09-25 20:31 . 2008-10-04 16:49 -------- d-----w- c:\program files\LeapFrog
2010-09-21 20:09 . 2006-06-13 00:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2010-09-09 13:37 . 2008-06-14 12:54 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-07 15:12 . 2010-06-29 16:56 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2008-12-03 18:26 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2008-12-03 18:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2008-12-03 18:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2008-12-03 18:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2008-12-03 18:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2008-12-03 18:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2008-12-03 18:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2008-12-03 18:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-04 17:18 . 2008-02-26 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 16:50 . 2009-10-21 21:31 -------- d-----w- c:\documents and settings\Boys\Application Data\Apple Computer
2010-09-02 15:26 . 2006-08-12 17:40 -------- d-----w- c:\program files\iPod
2010-09-02 15:26 . 2007-08-30 00:28 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 15:17 . 2010-09-02 15:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-30 18:34 . 2010-09-08 22:28 1496064 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-30 18:33 . 2010-09-08 22:28 43008 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-30 18:33 . 2010-09-08 22:28 338944 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-30 18:33 . 2010-09-08 22:28 346112 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-21 17:39 . 2006-12-26 23:39 -------- d-----w- c:\program files\The Learning Company
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-04 20:17 . 2010-08-04 20:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-08-01 15:29 . 2010-08-01 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-01 15:26 . 2006-05-10 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-08-01 11:27 . 2010-08-01 11:27 -------- d-----w- c:\program files\NOS
2010-07-26 20:01 . 2010-08-01 11:27 37184 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-07-26 20:01 . 2010-08-01 11:27 32032 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-07-22 21:00 . 2010-07-22 21:00 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-22 19:33 . 2010-07-22 19:33 71706968 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\DidjPlugin.exe
2010-07-22 19:32 . 2010-07-22 19:32 31287640 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 22:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-07-02 14:25 . 2010-09-01 02:38 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
2010-07-02 14:25 . 2010-09-01 02:38 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-08-28 22:40 . 2006-05-20 00:10 88 --sh--r- c:\windows\system32\67FC3BDC4D.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]

c:\documents and settings\Rob\Start Menu\Programs\Startup\
qlock.lnk - c:\program files\Qlock\qlock.exe [2009-2-14 4142080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-6-12 118784]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2008 2:27 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2008 2:27 PM 17744]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 12:51 PM 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/22/2010 5:00 PM 697328]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: sap.com\connectphl02
Trusted Zone: sap.com\connectphl05
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/
FF - component: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-DSS - c:\windows\BBSTORE\DSS\DSSAGENT.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 21:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Rob\Application Data\Western Digital\WD SmartWare\instances\DCFA0F27-0104-45B1-98E1-96E46571E344\dcfa0f27-0104-45b1-98e1-96e46571e344-inq.db3-journal

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2268)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\Rob\LOCALS~1\Temp\clclean.0001
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\System32\NOTEPAD.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-09-28 21:13:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-29 01:13

Pre-Run: 53,154,058,240 bytes free
Post-Run: 52,985,810,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=5 LastKnownGood=6 Sets=1,2,3,5,6
- - End Of File - - FAE6F0DBA2C433562CD20C002B20E235


Eset log
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7213af32b47fbb46b96160e07d515eff
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-29 02:19:48
# local_time=2010-09-28 10:19:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 20234382 20234382 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 0 1369985 0 0
# scanned=102581
# found=5
# cleaned=0
# scan_time=3543
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\094ceba\733.mof.vir Win32/RogueAV.A trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1385\A0202375.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1385\A0202378.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1385\A0202382.DLL a variant of Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1387\A0208142.mof Win32/RogueAV.A trojan 00000000000000000000000000000000
 
Can you please advise on use of these sites?
Trusted Zone: sap.com\connectphl02
Trusted Zone: sap.com\connectphl05

This site and the 2 above should be removed from the Trusted Zone where there is lower security that the Internet Zone.
Trusted Zone: musicmatch.com\online
 
SAP.com is my work website so these are trusted. I will remove music match.com\online. Anything else? Looked like the ESET found several infected files.
 
I looked for musicmatch.com\online but it does not appear in the Trusted Zone or any security list. The only ones listed are for SAP. Any suggestions?

Thanks again for all the support!
 
I'll have you move Musicmatch in HJT. Okay for the sap.com entries if wanted.

There are no new infections in the Eset log. The Qoobox entries are from the Combofix quarantine- that's where those files go and System Volume is for Restore Points. None of these are active in the system and all will be removed at the end. Don't do any system Restores while we're cleaning because if you did happen to pick a date that was infected, then you could reinfect the system. But we don't move those yet because sometimes, SR can be the only way back into a system!

Question: Do you know what this file is?
2006-06-13 00:51 c:\documents and settings\All Users\Application Data\PKP_DLec.DAT

Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u 
IE: &Search - ?p=ZSfox000
mRun: [DSS] c:\windows\bbstore\dss\DSSAGENT.EXE 

Folder::
c:\documents and settings\All Users\Application Data\McAfee

Extra::
File::
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
Firefox::
Firefox-: - Profile- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
FYI: DSSAgent by Brøderbund - spyware. Sends encrypted emails about the system back to the originators of the program. Also a resource hog.

Handle these updates please:
Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Please run this when through with above:

Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Add'l logs

Hi Bobbye,
Okay, I followed the instructions you provided. Here is are the logs.

Also, I do not know what '2006-06-13 00:51 c:\documents and settings\All Users\Application Data\PKP_DLec.DAT' is.

ComboFix log:
ComboFix 10-09-30.01 - Rob 09/30/2010 18:55:20.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1277 [GMT -4:00]
Running from: c:\documents and settings\Rob\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\My Documents\Downloads\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Rob\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\McCHSvc\McCHSvc000.log
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\McUICnt\McUICnt\McUICnt000.log
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\McCHSvc\McCHSvc000.log
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\McUICnt\McUICnt000.log
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\SSScheduler\SSScheduler000.log
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\SecurityScanner\McUICnt\McUICnt000.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Accounts.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Configuration.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Friends.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\Complaints.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\System.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\MskDetct.dat
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Templates\Templates.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Friends.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\2\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\2\Friends.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\3\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\3\Friends.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\4\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\4\Friends.xml
c:\documents and settings\Rob\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
.

2010-09-29 01:17 . 2010-09-29 01:17 -------- d-----w- c:\program files\ESET
2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
2010-09-26 21:23 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 21:23 . 2010-09-27 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-26 21:23 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 23:45 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-09-25 23:45 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-09-25 23:45 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\windows\system32\ZoneLabs
2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\program files\Zone Labs
2010-09-25 23:44 . 2010-09-30 22:22 -------- d-----w- c:\windows\Internet Logs
2010-09-25 21:07 . 2010-09-25 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-09-25 20:49 . 2010-09-25 20:49 -------- d-----w- c:\program files\Conduit
2010-09-13 14:19 . 2010-09-13 14:19 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSFVKFBMS
2010-09-08 22:28 . 2010-08-30 18:34 1496064 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-08 22:28 . 2010-08-30 18:33 43008 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-08 22:28 . 2010-08-30 18:33 338944 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-08 22:28 . 2010-08-30 18:33 346112 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-09-02 15:26 . 2010-09-02 15:27 -------- d-----w- c:\program files\iTunes
2010-09-02 15:22 . 2010-09-03 01:36 -------- d-----w- c:\program files\QuickTime
2010-09-02 15:17 . 2010-09-02 15:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-01 02:38 . 2010-07-09 14:26 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-09-01 02:38 . 2010-07-02 14:25 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-30 12:13 . 2008-06-14 12:54 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-29 20:56 . 2006-06-13 00:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2010-09-25 23:45 . 2006-05-16 20:46 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-09-25 20:33 . 2008-02-04 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-09-25 20:31 . 2008-10-04 16:49 -------- d-----w- c:\program files\LeapFrog
2010-09-07 15:12 . 2010-06-29 16:56 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2008-12-03 18:26 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2008-12-03 18:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2008-12-03 18:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2008-12-03 18:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2008-12-03 18:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2008-12-03 18:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2008-12-03 18:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2008-12-03 18:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-04 17:18 . 2008-02-26 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 16:50 . 2009-10-21 21:31 -------- d-----w- c:\documents and settings\Boys\Application Data\Apple Computer
2010-09-02 15:26 . 2006-08-12 17:40 -------- d-----w- c:\program files\iPod
2010-09-02 15:26 . 2007-08-30 00:28 -------- d-----w- c:\program files\Common Files\Apple
2010-08-21 17:39 . 2006-12-26 23:39 -------- d-----w- c:\program files\The Learning Company
2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-04 20:17 . 2010-08-04 20:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-07-26 20:01 . 2010-08-01 11:27 37184 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-07-26 20:01 . 2010-08-01 11:27 32032 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-07-22 21:00 . 2010-07-22 21:00 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-22 19:33 . 2010-07-22 19:33 71706968 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\DidjPlugin.exe
2010-07-22 19:32 . 2010-07-22 19:32 31287640 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 22:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-08-28 22:40 . 2006-05-20 00:10 88 --sh--r- c:\windows\system32\67FC3BDC4D.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]

c:\documents and settings\Rob\Start Menu\Programs\Startup\
qlock.lnk - c:\program files\Qlock\qlock.exe [2009-2-14 4142080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-6-12 118784]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2008 2:27 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2008 2:27 PM 17744]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 12:51 PM 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/22/2010 5:00 PM 697328]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: sap.com\connectphl02
Trusted Zone: sap.com\connectphl05
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/
FF - component: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-30 18:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-30 19:01:58
ComboFix-quarantined-files.txt 2010-09-30 23:01
ComboFix2.txt 2010-09-29 01:13

Pre-Run: 52,377,718,784 bytes free
Post-Run: 52,508,852,224 bytes free

Current=3 Default=3 Failed=5 LastKnownGood=6 Sets=1,2,3,5,6
- - End Of File - - 4E91BE7E38B43716DC621782C39F4AE8
 
HJT Log

HJT log:

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:25:19 PM, on 9/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\DOCUME~1\Rob\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Qlock\qlock.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://connectphl02.sap.com
O15 - Trusted Zone: http://connectphl05.sap.com
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl02.sap.com/vdesk/cachecleaner.cab#version=6030,2009,0622,1839
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl05.sap.com/vdesk/terminal/InstallerControl.cab#version=6030,2009,0622,1853
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl05.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0622,1842
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170514389796
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://maunalani.com/AxisCamControl.ocx
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl05.sap.com/policy...in32/f5syschk.cab#Version=6030,2009,0622,1850
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--
End of file - 13555 bytes


I can't thank you enough!!! :wave:
 
Hi, two quick updates
- When I log in now I get the following error message:
MSKDetector
Unable to write to c:\Documents and Settings\All Users\Application Data\McAfee\SpanKiller\MskDetct.dat.
McAfee was preloaded on the computer when we got it but I never used it so I removed it. Not sure why this file was not removed during de-install.

- The computer has also been freezing upon start up the last two days :-(. I noticed that the WDSmartWare program was taking up a lot of CPU so I de-installed that software. I can re-install once we get everything else fixed.

Hopefully I didn't make matters worse. Thanks again for all of your support!
 
You're welcome for the help. I had the following set up last night, but didn't get it sent so I added the two 'update problems'. If you are slow to load, it's because you have so many processes set to start on boot. Each one of them has to load, then each runs in the background, eventually slowing you down as you gather more temporary internet files, then each needs to stop when you shut down.

Review all those 04 processes in the HJT log> almost none need to start. Review all those preloaded Dell processes- chances are you don't use them, but they're running. Take the HP printer and all it's related processes off of Startup. You can use the printer when needed> click on File> Print, instead of it running all the time.

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\67FC3BDC4D.sys
c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
c:\windows\system32\zllictbl.dat

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
"WDSmartWare.exe"=- 
"WDDMStatus.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

C:\Program Files\UPHClean\uphclean.exe
C:\DOCUME~1\Rob\LOCALS~1\Temp\clclean.0001
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file)
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe


Close all Windows except HijackThis and click on "Fix Checked."

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Click on Start> Run> type in services.msc> find each of the following and double click to open> Change Startup type to Manual>
WDDMService
WDSmartWareBackgroundService

Close Services.
Reboot the computer.
 
More logs

Okay. Thanks for the suggestion to clean up the startup programs. I deleted the ones I was comfortable with so we shall see how it goes.

Ran the custom script. See log below.

Ran HijackThis. Only found two files to fix:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file)

Rebooted in safe mode to make additional changes suggested but could not find the services listed. Could this be because I de-installed the software? If so, should I make these changes once I re-install it?

ComboFix log:
ComboFix 10-10-01.06 - Rob 10/02/2010 11:08:09.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1446 [GMT -4:00]
Running from: c:\documents and settings\Rob\Desktop\virus removal files\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\virus removal files\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\All Users\Application Data\PKP_DLec.DAT"
"c:\windows\system32\67FC3BDC4D.sys"
"c:\windows\system32\zllictbl.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Rob\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
c:\documents and settings\Rob\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\system32\67FC3BDC4D.sys
c:\windows\system32\zllictbl.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
.

2010-09-30 23:24 . 2010-09-30 23:24 388096 ----a-r- c:\documents and settings\Rob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-30 23:24 . 2010-09-30 23:24 -------- d-----w- c:\program files\Trend Micro
2010-09-30 23:22 . 2010-09-30 23:22 61440 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1341d2c2-n\decora-sse.dll
2010-09-30 23:22 . 2010-09-30 23:22 503808 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a5917ae-n\msvcp71.dll
2010-09-30 23:22 . 2010-09-30 23:22 499712 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a5917ae-n\jmc.dll
2010-09-30 23:22 . 2010-09-30 23:22 348160 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3a5917ae-n\msvcr71.dll
2010-09-30 23:22 . 2010-09-30 23:22 12800 ----a-w- c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1341d2c2-n\decora-d3d.dll
2010-09-30 23:22 . 2010-09-30 23:22 -------- d-----w- c:\program files\Common Files\Java
2010-09-30 23:22 . 2010-09-30 23:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-30 23:16 . 2010-09-30 23:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-29 01:17 . 2010-09-29 01:17 -------- d-----w- c:\program files\ESET
2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
2010-09-26 21:23 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 21:23 . 2010-09-27 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 21:23 . 2010-09-26 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-26 21:23 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 23:45 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-09-25 23:45 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-09-25 23:45 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\windows\system32\ZoneLabs
2010-09-25 23:45 . 2010-09-25 23:45 -------- d-----w- c:\program files\Zone Labs
2010-09-25 23:44 . 2010-10-02 15:02 -------- d-----w- c:\windows\Internet Logs
2010-09-25 21:07 . 2010-09-25 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-09-25 20:49 . 2010-09-25 20:49 -------- d-----w- c:\program files\Conduit
2010-09-13 14:19 . 2010-09-13 14:19 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSFVKFBMS
2010-09-08 22:28 . 2010-08-30 18:34 1496064 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-08 22:28 . 2010-08-30 18:33 43008 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-08 22:28 . 2010-08-30 18:33 338944 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-08 22:28 . 2010-08-30 18:33 346112 ----a-w- c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-09-02 15:26 . 2010-09-02 15:27 -------- d-----w- c:\program files\iTunes
2010-09-02 15:22 . 2010-09-03 01:36 -------- d-----w- c:\program files\QuickTime
2010-09-02 15:17 . 2010-09-02 15:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 01:17 . 2010-10-02 11:52 137216 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-09-30 23:21 . 2006-05-10 15:00 -------- d-----w- c:\program files\Java
2010-09-30 12:13 . 2008-06-14 12:54 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-25 20:33 . 2008-02-04 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-09-25 20:31 . 2008-10-04 16:49 -------- d-----w- c:\program files\LeapFrog
2010-09-07 15:12 . 2010-06-29 16:56 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2008-12-03 18:26 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2008-12-03 18:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2008-12-03 18:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2008-12-03 18:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2008-12-03 18:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2008-12-03 18:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2008-12-03 18:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2008-12-03 18:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-04 17:18 . 2008-02-26 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 16:50 . 2009-10-21 21:31 -------- d-----w- c:\documents and settings\Boys\Application Data\Apple Computer
2010-09-02 15:26 . 2006-08-12 17:40 -------- d-----w- c:\program files\iPod
2010-09-02 15:26 . 2007-08-30 00:28 -------- d-----w- c:\program files\Common Files\Apple
2010-08-21 17:39 . 2006-12-26 23:39 -------- d-----w- c:\program files\The Learning Company
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-04 20:17 . 2010-08-04 20:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-07-22 21:00 . 2010-07-22 21:00 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-22 19:33 . 2010-07-22 19:33 71706968 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\DidjPlugin.exe
2010-07-22 19:32 . 2010-07-22 19:32 31287640 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 22:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-30_22.59.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-02 14:51 . 2010-10-02 14:51 16384 c:\windows\temp\Perflib_Perfdata_5a4.dat
+ 2009-12-22 00:09 . 2009-12-22 00:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 05:57 . 2009-12-22 05:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-22 00:02 . 2009-12-22 00:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-22 03:21 . 2009-12-22 03:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 19:57 . 2009-12-11 19:57 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-22 03:37 . 2009-12-22 03:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 22:39 . 2009-12-21 22:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 22:27 . 2009-12-21 22:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 22:27 . 2009-12-21 22:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2010-09-30 23:22 . 2010-09-30 23:21 153376 c:\windows\system32\javaws.exe
+ 2010-09-30 23:22 . 2010-09-30 23:21 145184 c:\windows\system32\javaw.exe
+ 2010-09-30 23:22 . 2010-09-30 23:21 145184 c:\windows\system32\java.exe
+ 2010-09-30 23:22 . 2010-09-30 23:22 180224 c:\windows\Installer\7ffa8.msi
+ 2010-09-30 23:21 . 2010-09-30 23:21 676352 c:\windows\Installer\7ffa2.msi
+ 2009-12-11 19:57 . 2009-12-11 19:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 22:35 . 2009-12-21 22:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-22 00:05 . 2009-12-22 00:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-11-09 23:18 . 2009-11-09 23:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-22 00:02 . 2009-12-22 00:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 19:57 . 2009-12-11 19:57 948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 22:43 . 2009-12-21 22:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 05:57 . 2009-12-22 05:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 22:15 . 2009-12-21 22:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 23:32 . 2009-12-21 23:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 19:57 . 2009-12-11 19:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 23:15 . 2009-12-21 23:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2010-09-30 23:24 . 2010-09-30 23:24 1094656 c:\windows\Installer\7ffac.msi
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\7ff9c.msp
+ 2010-09-30 23:17 . 2010-09-30 23:17 3940352 c:\windows\Installer\7ff9a.msi
+ 2009-12-21 22:29 . 2009-12-21 22:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 23:00 . 2009-12-21 23:00 1298996 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-12-22 03:31 . 2009-12-22 03:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\7ff9d.msp
+ 2010-08-13 18:09 . 2010-08-13 18:09 12263936 c:\windows\Installer\7ff9b.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
 
rest of log

c:\documents and settings\Rob\Start Menu\Programs\Startup\
qlock.lnk - c:\program files\Qlock\qlock.exe [2009-2-14 4142080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-6-12 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2008 2:27 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2008 2:27 PM 17744]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/22/2010 5:00 PM 697328]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral?_nfpb=true&_pageLabel=customer#Scene_1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: sap.com\connectphl02
Trusted Zone: sap.com\connectphl05
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/
FF - component: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\1zr4dlo9.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-02 11:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-10-02 11:15:10
ComboFix-quarantined-files.txt 2010-10-02 15:15
ComboFix2.txt 2010-09-30 23:01
ComboFix3.txt 2010-09-29 01:13

Pre-Run: 51,534,905,344 bytes free
Post-Run: 51,648,299,008 bytes free

Current=3 Default=3 Failed=5 LastKnownGood=6 Sets=1,2,3,5,6
- - End Of File - - AF8EDBD6963863618CDD5B51CA11C940



++++++++++++++++++++++++++++++++++++++++++++++++++++++++

By the way, for as long as I can remember we have always received this window upon start up. We just close it b/c Dell told us it wasn't an issue.
desktop.ini - Notepad
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
 
About HJT entries: we add "if present" when we say to check for removal. So if these entries aren't there, they will have been removed. No problem.
About the Services: Yes, the uninstall could have removed them, since you noticed it was a high resource user and were removing it for now. When you reinstall it, you will have the entries again. As far as I see, this does not need to start automatically and can 'user invoked'. This means that the Services for the 2 WDSmartWare can both be set to Manual when you put it back. Check HERE if you need more info.

Use the free FoxiIt PDF Reader for additional speed instead of the Adobe Reader and cut out the bulk! Once you have FoxIt installed, uninstall the Adobe Reader in add/Remove Programs: Here is the Free FoxIt Reader.
If you want additional PDF features, they also have paid versions. But this does what you've been using Adobe Reader for.

Your printer is creating logs. That's okay- just clean them out once in a while. They look like this with changing number: c:\windows\Internet Logs\xDB7.tmp
============================
About the desktop.ini> From Microsoft:
Cause:
  • A Desktop.ini file exists in one or more of the following folders, where drive is the drive on which Windows is installed:
    o drive:\Documents and Settings\All Users\Start Menu\Programs\Startup
    o drive:\Documents and Settings\All Users\Start Menu\Programs
    o drive:\Documents and Settings\All Users\Start Menu
    -and-
  • The Desktop.ini file contains the following lines:
Code:
 [.ShellClassInfo]
      LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
Resolution:
Use the System Configuration Utility (Msconfig.exe) to Disable the Startup Item
1. Click Start, and then click Run.
2. In the Open box, type msconfig, and then click OK.
3. Click the Startup tab.
4. Click to clear the check box beside any desktop entries in the Startup Item column that are listed as Common Startup in the Location column, and are also located in any of the following locations (as indicated in the Command column):

  • [o] drive:\Documents and Settings\All Users\Start Menu\Programs\Startup
    [o] drive:\Documents and Settings\All Users\Start Menu\Programs
    [o] drive:\Documents and Settings\All Users\Start Menu
5. Click OK to quit the System Configuration Utility.
6. Restart your computer and verify that the issue is resolved.

See next post to finish up.
 
The system is clean! Remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Tips for added security and safer browsing:
(Note: some of the following may not work on Windows 7 or a 64 bit system)
  1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
  2. Have layered Security:
    • Antivirus Software(only one):Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
  3. Stay current on updates:
    [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
    [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
  4. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
  5. Do regular Maintenance
    Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
    Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  6. Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Let me know if you have any more questions
 
Hi Bobbye, Thanks for the update and it is great news that the system is clean. You are my HERO!!!

While I am going through all of the info you provided I wanted to share that we seem to be having occassional issues with Explorer not shutting down which then stops Windows from shutting down. Even when I choose to end Explorer, Windows shut down just locks up. It does not happen all the time but I can't figure out why. I end up having to do a hard shut down. Any thoughts?

I can't thank you enough for all your help.
Amy
 
Okay, this is the last post for tonight b/c I have had enough.

I have tried to download the google toolbar for Explorer but it can't find the program to open the file and I don't know what program to choose. I checked out help and made sure the settings were enabled but I still can't download. We do have it installed on Firefox. Any thoughts on what I need to do to install on Explorer?
 
Spywareblaster and Spybot Search & Destroy can both be on system. I have both. I recommend you don't use the Tea Timer feature in Spybot. As for the Google Toolbar, usually there is no problem- are you choosing the toolbar for IE?

The Google Toolbar is optional Amy. Try rebooting the computer first. Here is the link for the one you need:
Google Toolbar for Internet Explorer 6.5.518.1650
 
Status
Not open for further replies.
Back