Solved Attn: Bobbye Persistent Infection

[Conners]

hi. thank you for your continued help. ref thread: https://www.techspot.com/vb/topic161743.html

here are the logs requested:-

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5977

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

07/03/2011 00:06:22
mbam-log-2011-03-07 (00-06-22).txt

Scan type: Full scan (C:\|J:\|)
Objects scanned: 154998
Time elapsed: 24 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-07 00:14:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-1d ST3400833AS rev.3.AAE
Running: 84gi61dn.exe; Driver: C:\DOCUME~1\Srennoc\LOCALS~1\Temp\uxpdafow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 02/03/2011 23:15:49
System Uptime: 07/03/2011 00:11:59 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5N-D
Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Socket 775 | 3200/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 373 GiB total, 354.802 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is CDROM (CDFS)
I: is CDROM ()
J: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_81BC1043&REV_A3\3&2411E6FE&0&51
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_81BC1043&REV_A3\3&2411E6FE&0&51
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&DC268A3&0&3880
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&DC268A3&0&3880
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_82211043&REV_A3\3&2411E6FE&0&A0
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_82211043&REV_A3\3&2411E6FE&0&A0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:
.
==== System Restore Points ===================
.
RP1: 05/03/2011 05:39:43 - System Checkpoint
.
==== Installed Programs ======================
.
Avira AntiVir Personal - Free Antivirus
Call of Duty(R) 4 - Modern Warfare(TM)
Entropia Universe
Google Chrome
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
NVIDIA Control Panel 266.58
NVIDIA Graphics Driver 266.58
NVIDIA Install Application
NVIDIA nView 135.50
NVIDIA nView Desktop Manager
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
web'n'walk USB manager
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows XP Service Pack 3
ZoneAlarm
ZoneAlarm Toolbar
.
==== Event Viewer Messages From Past Week ========
.
05/03/2011 11:52:31, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
05/03/2011 11:52:26, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
05/03/2011 11:52:03, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
05/03/2011 11:51:55, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
05/03/2011 11:51:52, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
04/03/2011 11:18:30, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 7 for Windows XP.
04/03/2011 00:08:45, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
04/03/2011 00:08:45, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
03/03/2011 19:55:04, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
03/03/2011 19:55:04, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Srennoc\LOCALS~1\Temp\schk.tmp. Reference error message: The operation completed successfully. .
03/03/2011 19:55:04, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
03/03/2011 18:49:11, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
03/03/2011 10:09:38, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
03/03/2011 09:52:20, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
03/03/2011 09:52:20, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Srennoc\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
03/03/2011 09:52:20, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
.
==== End Of File ===========================


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Srennoc at 0:15:44.25 on 07/03/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1678 [GMT -8:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\internet stuff\Avira\AntiVir Desktop\avguard.exe
C:\internet stuff\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\internet stuff\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program anti\avajff\bin\jqs.exe
C:\internet stuff\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Documents and Settings\Srennoc\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\prograzs\earcestroy\SDHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\prograzs\earcestroy\TeaTimer.exe
mRun: [avgnt] "c:\internet stuff\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program anti\abs\zonealarm\zlclient.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\progra\tes' anti-malware\mbamgui.exe /install /silent
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\prograzs\earcestroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1299198266453
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\internet stuff\avira\antivir desktop\avgio.sys [2011-3-3 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-3-3 532224]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\internet stuff\avira\antivir desktop\sched.exe [2011-3-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\internet stuff\avira\antivir desktop\avguard.exe [2011-3-3 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-3 61960]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-2-15 26872]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\b.tmp --> c:\windows\system32\B.tmp [?]
S4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-2-15 488952]
.
=============== Created Last 30 ================
.
2011-03-07 07:24:03 -------- d-----w- c:\docume~1\srennoc\applic~1\Malwarebytes
2011-03-07 07:23:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-07 07:23:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-07 07:23:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-07 07:23:24 -------- d-----w- C:\Progra
2011-03-05 15:52:17 -------- d-----w- C:\Progrtn
2011-03-05 13:47:33 -------- d-sha-r- C:\cmdcons
2011-03-05 13:39:41 98816 ----a-w- c:\windows\sed.exe
2011-03-05 13:39:41 89088 ----a-w- c:\windows\MBR.exe
2011-03-05 13:39:41 256512 ----a-w- c:\windows\PEV.exe
2011-03-05 13:39:41 161792 ----a-w- c:\windows\SWREG.exe
2011-03-04 20:25:44 -------- d-----w- c:\windows\Entropia Universe
2011-03-04 20:25:44 -------- d-----w- c:\program files\Entropia Universe
2011-03-04 20:19:56 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-03-04 19:32:18 -------- d-----w- c:\program files\Activision
2011-03-04 19:09:42 -------- d-sh--w- c:\windows\ftpcache
2011-03-04 07:53:41 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-03-04 07:49:21 -------- d-----w- C:\Prograzs
2011-03-04 07:39:31 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-03-04 07:39:28 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-03-04 07:39:28 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-03-04 07:39:05 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-03-04 07:37:45 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-04 06:49:26 -------- d-----w- c:\windows\pss
2011-03-04 06:20:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2011-03-04 06:17:55 -------- d-----w- c:\program files\NVIDIA Corporation
2011-03-04 06:16:43 -------- d-----w- C:\videenis
2011-03-04 05:53:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-04 05:53:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-04 04:29:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-04 04:12:03 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\Temp
2011-03-04 04:11:14 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\Google
2011-03-04 04:10:39 -------- d-----w- C:\Stuff
2011-03-04 03:57:04 -------- d-----w- c:\docume~1\srennoc\applic~1\CheckPoint
2011-03-04 03:56:29 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\Conduit
2011-03-04 03:56:28 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-03-04 03:56:28 -------- d-----w- c:\program files\Conduit
2011-03-04 03:56:28 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\ZoneAlarm_Security
2011-03-04 03:55:11 -------- d-----w- c:\program files\CheckPoint
2011-03-04 03:54:47 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-03-04 03:54:46 -------- d-----w- c:\windows\system32\ZoneLabs
2011-03-04 03:54:12 -------- d-----w- C:\Program anti
2011-03-04 03:25:04 -------- d-----w- c:\windows\system32\scripting
2011-03-04 03:25:03 -------- d-----w- c:\windows\l2schemas
2011-03-04 03:25:02 -------- d-----w- c:\windows\system32\en
2011-03-04 03:21:05 -------- d-----w- c:\windows\network diagnostic
2011-03-04 02:19:11 -------- d-----w- c:\program files\Zone Labs
2011-03-04 02:18:37 -------- d-----w- c:\windows\Internet Logs
2011-03-04 00:35:54 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-03-04 00:35:54 -------- d-----w- c:\windows\system32\PreInstall
2011-03-04 00:35:53 -------- d--h--w- c:\windows\$hf_mig$
2011-03-04 00:35:24 -------- d-----w- c:\windows\system32\bits
2011-03-04 00:34:07 8192 ------w- c:\windows\system32\bitsprx2.dll
2011-03-04 00:34:07 7168 ------w- c:\windows\system32\bitsprx3.dll
2011-03-04 00:34:07 438784 ------w- c:\windows\system32\xpob2res.dll
2011-03-04 00:34:07 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-03-04 00:34:07 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2011-03-04 00:25:31 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2011-03-04 00:25:31 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-03-04 00:25:31 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-03-04 00:25:31 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-03-04 00:25:31 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-03-04 00:03:11 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-03 23:56:49 88960 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-03-03 23:56:49 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-03-03 23:56:33 -------- d-----w- C:\internet stuff
2011-03-03 18:21:59 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2011-03-03 18:08:42 -------- d-----w- c:\windows\system32\NtmsData
2011-03-03 18:00:55 -------- d-----w- c:\docume~1\srennoc\applic~1\Avira
2011-03-03 17:54:28 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-03 17:54:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-03-03 17:53:18 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-03-03 17:52:57 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2011-03-03 17:52:03 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-03-03 17:51:57 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-03-03 17:51:57 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-03-03 17:51:53 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-03-03 17:51:47 293376 ------w- c:\windows\system32\browserchoice.exe
2011-03-03 17:51:41 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-03-03 17:51:28 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-03-03 17:51:26 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-03-03 17:51:21 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-03-03 17:51:07 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-03-03 17:49:53 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2011-03-03 17:49:52 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2011-03-03 17:49:52 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2011-03-03 17:49:52 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-03-03 17:49:52 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2011-03-03 17:49:52 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2011-03-03 17:49:52 110592 -c----w- c:\windows\system32\dllcache\services.exe
2011-03-03 17:49:51 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2011-03-03 17:49:51 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2011-03-03 17:49:50 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-03-03 17:49:50 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-03-03 17:49:49 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-03-03 17:37:34 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2011-03-03 17:37:09 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-03-03 17:37:05 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-03-03 17:36:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-03-03 17:36:31 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-03-03 17:28:32 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-03-03 17:23:36 -------- d-----w- c:\windows\peernet
2011-03-03 17:23:35 -------- d-----w- c:\windows\provisioning
2011-03-03 17:22:44 -------- d-----w- c:\windows\ServicePackFiles
2011-03-03 17:21:26 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-03-03 17:19:27 -------- d-----w- c:\windows\EHome
2011-03-03 17:14:13 11264 ------w- c:\windows\system32\spnpinst.exe
.
==================== Find3M ====================
.
2011-03-04 06:18:53 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-04 06:18:53 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-03-04 06:18:49 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27:00 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-01-08 03:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-01-08 03:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30:29 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 0:17:14.60 ===============

 

[Bobbye]

Okay then, let's go on. In the previous thread, you mentioned a concern about a possibly infected flash drive. Let's be sure to handle that: Don't use the flash drive on the system until it's been disinfected.
These worms can travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please download Flash_Disinfector.exehttp://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe by sUBs and save it to your desktop.

1. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
2. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
3. Wait until it has finished scanning and then exit the program.
4. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
==========================================
I'd like to ask you about some Directories> it's my job to know what's in them and that they or safe-or find malware and remove it. I see these in the log and ask if you know what you put in them:
C:\Progra
C:\Progrtn
C:\cmdcons
C:\Prograzs
C:\videenis
C:\Program anti
There are also 2 others and I don't want to open them with script and have a gazillion files showing!
C:\Stuff
C:\internet stuff
If you set these up and know the contents, no problem, although I would have suggested sub-folders rather than entire Directories.
=============================================
Go ahead with this now: Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

You probably already got the Recovery Console so Combofix will skip that and go right on to the scan.

 

[Conners]

combofix

hi i installed them things in them places on the drive to see if it made any difference to my issues.
c:\Progra = Malwarebytes
c:\progrtn =empty directory (did have a malware scanner in there)
c:\cmdcons =dont know what this is :S has a system32 folder and ntdetect applcation
c:\prograzs = spybot search and destroy
c:\videenis = display driver software
c:\Program anti = java and zone alarm
c:\internet stuff= t-mobile web'n'walk software (not sure if that software has been hijacked in some way)
c:\stuff = that only has google chrome setup files in it i think

thanks again

ComboFix 11-03-06.06 - Srennoc 07/03/2011 16:06:16.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1746 [GMT -8:00]
Running from: c:\documents and settings\Srennoc\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-07 07:23 . 2011-03-07 07:23 -------- d-----w- C:\Progra
2011-03-05 15:52 . 2011-03-05 15:52 -------- d-----w- C:\Progrtn
2011-03-04 06:16 . 2011-03-04 06:16 -------- d-----w- C:\videenis
2011-03-04 04:10 . 2011-03-04 04:11 -------- d-----w- C:\Stuff
2011-03-03 23:56 . 2011-03-03 17:54 -------- d-----w- C:\internet stuff
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsel.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsth.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrseng.dll
2011-01-08 03:58 . 2011-01-08 03:58 126976 ----a-w- c:\windows\system32\nvrszht.dll
2011-01-08 03:58 . 2011-01-08 03:58 331776 ----a-w- c:\windows\system32\nvrshe.dll
2011-01-08 03:58 . 2011-01-08 03:58 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsru.dll
2011-01-08 03:58 . 2011-01-08 03:58 262144 ----a-w- c:\windows\system32\nvrshu.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssl.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsda.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2011-01-08 03:58 . 2011-01-08 03:58 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2011-01-08 03:58 . 2011-01-08 03:58 335872 ----a-w- c:\windows\system32\nvrsar.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrses.dll
2011-01-08 03:58 . 2011-01-08 03:58 278528 ----a-w- c:\windows\system32\nvrsde.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2011-01-08 03:58 . 2011-01-08 03:58 266240 ----a-w- c:\windows\system32\nvrsko.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrstr.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssk.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrssv.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsno.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrscs.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsit.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrspt.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsja.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrspl.dll
2011-01-08 03:58 . 2011-01-08 03:58 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-08 03:58 . 2011-01-08 03:58 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-08 03:58 . 2011-01-08 03:58 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-08 03:58 . 2011-01-08 03:58 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-08 03:58 . 2011-01-08 03:58 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-08 03:58 . 2011-01-08 03:58 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-08 03:58 . 2011-01-08 03:58 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-08 03:27 . 2004-08-04 07:56 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27 . 2004-08-04 05:29 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2003-03-31 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2003-03-31 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2003-03-31 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-12-01 19:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\prograzs\earcestroy\TeaTimer.exe" [2009-03-06 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program anti\abs\ZoneAlarm\zlclient.exe" [2011-02-19 1043968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IswSvc"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
"ZoneAlarm Client"="c:\program anti\abs\ZoneAlarm\zlclient.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [15/02/2011 07:25 26872]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]
S4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [15/02/2011 07:25 488952]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004Core.job
- c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004UA.job
- c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 16:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B.tmp"
.
Completion time: 2011-03-07 16:16:58
ComboFix-quarantined-files.txt 2011-03-08 00:16
.
Pre-Run: 381,458,681,856 bytes free
Post-Run: 381,450,944,512 bytes free
.
- - End Of File - - B61DFCEDD93C2C43D98DC0B1B639F682

 

[Bobbye]

Please check the Combofix log- I think there are some additional entry sections at the bottom.

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\windows\system32\B.tmp
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
Driver::
MEMSWEEP2

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
I strongly advise you not to create new directories as you did. This is more of a file/folder setup. For instance, in My Docs.& Settings:
Create folder: name it something like testings. Then create sub-folders is needed for names like> Security test, etc. You have the desktop for the cleaning scans and/or directories when indicated. Anyone who helps you with problem in the system is going to have to ask the same thing.

 

[Conners]

Hi Bobbye thanks again lol i have run that script through combofix the log is below. and have checked the other log and i missed nothing off the end, that is all that is saved.
and about making them directorys i dont usually do that. but i read somewhere that some virus/spyware/tojan/dialers/worm whatever it is that i have lol, search for specific directories that they know are used for antivirus applications. so thought id put them somewhere else.
i could always reformat again if it would be better, ive lost my data now lol.
thanks again and let me know what is needed next. take care.


ComboFix 11-03-06.06 - Srennoc 08/03/2011 20:07:03.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1765 [GMT -8:00]
Running from: c:\documents and settings\Srennoc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Srennoc\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\windows\system32\B.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-07 07:23 . 2011-03-07 07:23 -------- d-----w- C:\Progra
2011-03-05 15:52 . 2011-03-05 15:52 -------- d-----w- C:\Progrtn
2011-03-04 06:16 . 2011-03-04 06:16 -------- d-----w- C:\videenis
2011-03-04 04:10 . 2011-03-04 04:11 -------- d-----w- C:\Stuff
2011-03-03 23:56 . 2011-03-03 17:54 -------- d-----w- C:\internet stuff
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsel.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsth.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrseng.dll
2011-01-08 03:58 . 2011-01-08 03:58 126976 ----a-w- c:\windows\system32\nvrszht.dll
2011-01-08 03:58 . 2011-01-08 03:58 331776 ----a-w- c:\windows\system32\nvrshe.dll
2011-01-08 03:58 . 2011-01-08 03:58 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsru.dll
2011-01-08 03:58 . 2011-01-08 03:58 262144 ----a-w- c:\windows\system32\nvrshu.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssl.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsda.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2011-01-08 03:58 . 2011-01-08 03:58 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2011-01-08 03:58 . 2011-01-08 03:58 335872 ----a-w- c:\windows\system32\nvrsar.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrses.dll
2011-01-08 03:58 . 2011-01-08 03:58 278528 ----a-w- c:\windows\system32\nvrsde.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2011-01-08 03:58 . 2011-01-08 03:58 266240 ----a-w- c:\windows\system32\nvrsko.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrstr.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssk.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrssv.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsno.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrscs.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsit.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrspt.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsja.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrspl.dll
2011-01-08 03:58 . 2011-01-08 03:58 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-08 03:58 . 2011-01-08 03:58 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-08 03:58 . 2011-01-08 03:58 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-08 03:58 . 2011-01-08 03:58 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-08 03:58 . 2011-01-08 03:58 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-08 03:58 . 2011-01-08 03:58 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-08 03:58 . 2011-01-08 03:58 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-08 03:27 . 2004-08-04 07:56 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27 . 2004-08-04 05:29 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2003-03-31 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2003-03-31 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2003-03-31 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-08_00.13.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-09 04:15 . 2011-03-09 04:15 16384 c:\windows\Temp\Perflib_Perfdata_4a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-12-01 19:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\prograzs\earcestroy\TeaTimer.exe" [2009-03-06 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IswSvc"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
"ZoneAlarm Client"="c:\program anti\abs\ZoneAlarm\zlclient.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [15/02/2011 07:25 26872]
S4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [15/02/2011 07:25 488952]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004Core.job
- c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004UA.job
- c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-08 20:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program anti\avajff\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2011-03-08 20:20:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-09 04:19
ComboFix2.txt 2011-03-08 00:17
.
Pre-Run: 381,133,410,304 bytes free
Post-Run: 381,092,958,208 bytes free
.
- - End Of File - - F24E51BC10BA9C0D0F349A0147696F6E

 

[Bobbye]

I'd like to get Zone Alarm out of the picture> there are way too many entries for a firewall, including on Beta program in testing:

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\program files\CheckPoint\ZAForceField\ISWKL.sys
c:\program files\CheckPoint\ZAForceField\ISWSVC.exe

DDS::
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [ZoneAlarm Client] "c:\program anti\abs\zonealarm\zlclient.exe"

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"=- 
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"=-
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"=- 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ZoneAlarm Client"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
Driver::
ISWKL
IswSvc

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
This is essentially shutting Zone Alarm down and removing all it's toolbars. It may protest since it's a security program. If it does, run the script in Safe Mode.
====================
With ZA down, run a new Eset scan:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[Conners]

hi mate. here is the combofix log, will scan now with the other and post as soon as its done.


ComboFix 11-03-06.06 - Srennoc 10/03/2011 21:19:10.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1765 [GMT -8:00]
Running from: c:\documents and settings\Srennoc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Srennoc\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
FILE ::
"c:\program files\CheckPoint\ZAForceField\ISWKL.sys"
"c:\program files\CheckPoint\ZAForceField\ISWSVC.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program anti\abs\zonealarm\zlclient.exe
c:\program files\CheckPoint\ZAForceField\ISWKL.sys
c:\program files\CheckPoint\ZAForceField\ISWSVC.exe
c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
c:\program files\zonealarm_security\tbZone.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\Legacy_ISWKL
-------\Legacy_ISWSVC
-------\Service_ISWKL
-------\Service_IswSvc
.
.
((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))
.
.
2011-03-07 07:23 . 2011-03-07 07:23 -------- d-----w- C:\Progra
2011-03-05 15:52 . 2011-03-05 15:52 -------- d-----w- C:\Progrtn
2011-03-04 06:16 . 2011-03-04 06:16 -------- d-----w- C:\videenis
2011-03-04 04:10 . 2011-03-04 04:11 -------- d-----w- C:\Stuff
2011-03-03 23:56 . 2011-03-03 17:54 -------- d-----w- C:\internet stuff
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsel.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsth.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrseng.dll
2011-01-08 03:58 . 2011-01-08 03:58 126976 ----a-w- c:\windows\system32\nvrszht.dll
2011-01-08 03:58 . 2011-01-08 03:58 331776 ----a-w- c:\windows\system32\nvrshe.dll
2011-01-08 03:58 . 2011-01-08 03:58 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsru.dll
2011-01-08 03:58 . 2011-01-08 03:58 262144 ----a-w- c:\windows\system32\nvrshu.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssl.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsda.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2011-01-08 03:58 . 2011-01-08 03:58 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2011-01-08 03:58 . 2011-01-08 03:58 335872 ----a-w- c:\windows\system32\nvrsar.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrses.dll
2011-01-08 03:58 . 2011-01-08 03:58 278528 ----a-w- c:\windows\system32\nvrsde.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2011-01-08 03:58 . 2011-01-08 03:58 266240 ----a-w- c:\windows\system32\nvrsko.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrstr.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssk.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrssv.dll
2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsno.dll
2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrscs.dll
2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsit.dll
2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrspt.dll
2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsja.dll
2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrspl.dll
2011-01-08 03:58 . 2011-01-08 03:58 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-08 03:58 . 2011-01-08 03:58 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-08 03:58 . 2011-01-08 03:58 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-08 03:58 . 2011-01-08 03:58 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-08 03:58 . 2011-01-08 03:58 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-08 03:58 . 2011-01-08 03:58 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-08 03:58 . 2011-01-08 03:58 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-08 03:27 . 2004-08-04 07:56 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27 . 2004-08-04 05:29 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2003-03-31 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-08_00.13.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-11 05:27 . 2011-03-11 05:27 16384 c:\windows\Temp\Perflib_Perfdata_4a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\prograzs\earcestroy\TeaTimer.exe" [2009-03-06 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IswSvc"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004Core.job
- c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004UA.job
- c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-10 21:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program anti\avajff\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2011-03-10 21:32:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-11 05:32
ComboFix2.txt 2011-03-09 04:20
ComboFix3.txt 2011-03-08 00:17
.
Pre-Run: 380,916,813,824 bytes free
Post-Run: 380,907,499,520 bytes free
.
- - End Of File - - C1778F2A8858A7222B6530B596D6296C

 

[Conners]

ok here is the new scan results. also when combo fix ran it said it detected rootkit activity and had to restart. hope i did this right and these tell you somthing. thanks.


ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=432c7d36b2d13f458332a37577405307
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-11 06:35:12
# local_time=2011-03-10 10:35:12 (-0800, Pacific Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=29848
# found=0
# cleaned=0
# scan_time=1800

 

[Bobbye]

Okay, the logs are clean. You can go ahead and reinstall Zone Alarm. What, if any, signs of persistent infection are you still having?

 

[Conners]

redirecting in browsers and failure to connect most of the time.
usage of my 2 gb download limit pretty much within minutes of buying new credit even when i downloaded nothing.
my t-mobile software shows im getting ten times the speed that it is actually letting me use to download.
hidden folders that i cant see or access at all.
and when i connect to any games i could play before this started it disconnects me instantly everytime

 

[Bobbye]

There is no sign of malware. Please describe the 'redirect' precisely.

The following problems should be addressed with T-Mobile and any ISP you have.

1. failure to connect most of the time.
2. usage of my 2 gb download limit pretty much within minutes of buying new credit even when i downloaded nothing.
3. my t-mobile software shows im getting ten times the speed that it is actually letting me use to download.
4. when i connect to any games i could play before this started it disconnects me instantly everytime

As for this:

hidden folders that i cant see or access at all.

If you can't see them or you can't access them, how do you know they are there?

I'm not sure you're getting 'redirected'. You will need to further explain what is happening. I don't think you have a persistent infection- I think you're having connection problems due to the ISP and/or possibly settings on your system.

 

[Conners]

before i formatted my HD zone alarm showed multiple programs running from C:\32788R22FWJFW and also in C:\documents and settings\srennoc\local settings\temp

i know this isnt isp related cause there was a point when things worked fine now its all gone tits up.

is there a way for people to compromise my whole windows installation? also what does windows nt do? my operating system is xp. do i have to have nt things on a xp setup too?
or a way to put hidden dialers in somewhere?
ive read the same problems on forums all over but the threads either get closed or the people buy new computers.

can i be going through a proxy server without my knowledge? ill get in touch with my isp but i cant see it being that. i downloaded some old dos games and i think this all started from one of them...

any ideas would be appreciated please

 

[Bobbye]

Well, you're throwing a lot at me, but I'll try to answer what I can:
Regarding:

C:\documents and settings\srennoc\local settings\temp

This is a temp file and will be removed in a disc cleanup.
I cannot identify srennoc but with a slight spelling change to rennoc I found this:
http://www.myspace.com/connermiskowiec
Is this you by chance?
===============================
Regarding:

C:\32788R22FWJFW

Without anything following the end of the string, it's just a directory. Most commonly, it is for the Application.NirCmd which is a collection of third party tools packed in one executable that can be used to remove threats in an infected machine. However it can also be used by users with malicious intent to do a different activity. But I don't have enough information to identify it.
======================================
Regarding:

is there a way for people to compromise my whole windows installation?

Yes, numerous ways.
===================================
Regarding Windows NT:
Windows NT is a family of operating systems produced by Microsoft:
Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Home Server, Windows Server 2008, and Windows 7 are based on Windows NT, although they are not branded as Windows NT.
More infirmation here: http://en.wikipedia.org/wiki/Windows_NT
====================================
Regarding:

i downloaded some old dos games and i think this all started from one of them...

Consider uninstalling these games and see if it makes a difference.
=====================================
Again, I encourage to get more information from TMobile and the ISP. It sounds like you are on some credit/speed plan and I can't help you with that.

As far as you comment about what was found before you reformatted, if it's not on the computer now, you should not be concerned,

You are asking me fragmented questions out of context so I can only give you general answers.

 

[Conners]

hi again. thanks for trying to answer all my questions...
srennoc is my username and the windows profile i use. im worried about the tempory folder and im pretty sure my windows is compromised (can these viruses be stored in the bios or drivers?)
in zonealarm i have found a program that isnt looking good. it is AU_.exe it is stored here:-
C:\Documents and Settings\Srennoc\Local Settings\temp\~nsu.tmp\Au_.exe researched it online and found this about it:-

Description: File Au_.exe is located in a subfolder of "C:\Documents and Settings". Known file sizes on Windows XP are 34717 bytes (10% of all occurrence), 111790 bytes, 60364 bytes, 51275 bytes, 102514 bytes, 62850 bytes, 189367 bytes, 36225 bytes, 65711 bytes, 125841 bytes.
The program has no file description. The file is not a Windows system file. Au_.exe is able to monitor applications. Therefore the technical security rating is 32% dangerous.


This is Spyware.SpyFalcon

AU_EXE. Does.
AU_.EXE has been seen to perform the following behavior(s):

* This Process Deletes Other Processes From Disk
* Executes Processes stored in Temporary Folders
* Writes to another Process's Virtual Memory (Process Hijacking)
* This Process Creates Other Processes On Disk
* Executes a Process
* Can communicate with other computer systems using HTTP protocols
* Adds Products to the system registry
* Deletes Links in the Start Menu
* Registers a Dynamic Link Library File
* This Process tampers with Vulnerable System Files and Settings
* The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
* Downloads hidden code from covert web sites
* Creates new folders in the file system
* Uses DNS to retrieve the IP address for web sites

im certain it isnt an isp problem

 

[Bobbye]

On the other hand, only using Safe Sites:

au_.exe is a process belonging to Adobe® Flash® Player ActiveX from Adobe Systems Incorporated

Across all ThreatExpert reports, the file "au_.exe" has never been identified as a threat.
The file "au_.exe" is known to be created under the following filenames:
%ProgramFiles%\virusout\uninst.exe
%Temp%\au_.exe
%Temp%\bu_.exe
http://www.threatexpert.com/files/au_.exe.html

This file is not really a SpyFalcon issue. It is from an installer which could be used to install good valid software or any malware program if the creator of the malware used NSIS as their installer.
http://forums.majorgeeks.com/showthread.php?t=145210

That au_.exe is used by some uninstallers, Nullsoft Install System in your case. This one creates a temporary folder (nsu.tmp) when you uninstall something with this uninstaller. It is safe. http://forum.kaspersky.com/index.php?showtopic=161633

im certain it isnt an isp problem

I'm certain it isn't SpyFalcon;
========================================
I don't think you will be happy unless you reformat/reinstall.
=======================================
Is can make a big difference what site you search on.
=================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

If the problem continues after the reformat/reinstall, please contach the ISP.

 

[Conners]

hi mate I have done all of them steps. will it make any difference now than when i formated last week? i still have the same issues, since i deleted the restore point do you think that it wont happen again when i format/reinstall?

this picture is of my usb modem software. notice the graph. what is that happening? the connection was idle. usually when idle i dont see any of them green/yellow spikes

should i refomat from the recovery console after booting from my windows xp cd?
thanks

 

[Conners]

i think i have found what is using my connection. could it be vsmon.exe??
the file is a part of zonealarm but am i right in thinking it shouldn't be in the windows folder?

it is in C:\windows\system32\zonelabs\vsmon.exe
and using netlimiter 2 monitor i can see it constantly trying to connect to i.p. addresses but then a red 'x' appears by the ip and it dissapears.

im going to try and see what the ip addresses belong too so far it has repeatedly tryed to connect to 92.122.49.218:80 & 209.87.211.144:443 & also 77.67.21.34:80

any ideas would be appriciated. cheers

 

[Bobbye]

vsmon - vsmon.exe - Process Information
Process File: vsmon or vsmon.exe
Process Name: True Vector Internet Monitor
Description: The True Vector Internet Monitor is a component of the ZoneAlarm Personal FireWall which monitors internet traffic and generates alerts

The path is correct.

We have finished cleaning any malware that was present. You are asking system-related questions now. It would be best if you started a new thread in the Windows OS forum. There are other processes they can check for you.

I think you main trouble is some lack of knowledge in not knowing what is running and what is suppose to run. Until you get some type of reference to assist you, You are going to continue to worry,

I'm going to close this thread now.