Solved Attn: Bobbye TR/DROP.TDss.way detected by Avira - part 2

[Buzz]

ref: https://www.techspot.com/vb/topic159399.html

Hi Bobbye...

Got my machine back. XP is working fine - the same like as before it froze, when I was watching You Tube on my 32" LCD TV monitor (as well as my computer 23" monitor).

The Thai techo guy said (in his very limited english) the mother board packed it in ... said it could've been something to do with our up & down power supply that we get here on the island, and something shorted (although I do use a UPS - this last one only about 6 months old) ... anyway, he only charged me $65 for a new mother-board & installation !

Got home and powered her up, but my monitor was blank ('no signal') ... mmmm ... then I thought to check if my desktop was showing up on my LCD TV - sure enough it was - so, it must of been the RBG cable dual adapter I have been using that 'shorted' - anyway, disconnected the adapter and just ran the standard single RGB cable to my monitor and was back, thank god/buddha !!!

Want to run the 8 steps again - but just wondering if/how to delete combofix completely first ?

..................................................

Did not have to reformat the C drive - all programs/data the same.
(except i notice in program files, a few of the program folders have been modified - maybe updated by the Thai techo - as of Jan 21st (the day it was repaired)

.................................................

Also, I just naturally thought they would replace the motherboard with the same exact make and model (ISUS P4V8X-X), but I'm not sure if that's what I got or not - where do I check in XP ?

cheers,
Buzz

 

[Bobbye]

Well that's good news! Sorry to had to pay, but if he did that right and you stop shorting the system out, You will be better for it!

I don't know a thing about motherboards! Not my area. But I think it's spelled (ASUS P4V8X-X). But I did find this:http://www.ehow.com/how_4474358_find-motherboards-model-name.html
See if that will tell you.
===========================================
Let remove all of the program and start over:
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

If there are still any of the rootkit or other scan on the system, uninstall them and delete the logs.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
===========================================
Since you are noticing some changes already, run new scans: We had you clean- it was just that youtube video that brought you down, right?

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Buzz]

Hi Bobbye ...

new motherboard feels great - yes, u r correct Asus not Isus ... I'll confirm the model type from that website you advised later on ... tks.

Have created a new system restore point and deleted older ones ... when re-starting comp now i keep getting a "Windows File Protection" warning about some windows files have been chg'd etc... insert windows xp SP2 disc and ... but i have been ignoring it ...

Yeah, we were pretty clean before the YouTube short out ... only think you'd found some Hotspot Shield rogue files ... I still don't mind to gid rid of the program completely - i thought it was used for protection on-line when checking my on-line banking etc... but, i'm not sure if it does that - hotspot seems to indicate a wi-fi hotspot shield which I don't need for my PC.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5573

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

23-Jan-11 3:58:17 AM
mbam-log-2011-01-23 (03-58-17).txt

Scan type: Quick scan
Objects scanned: 150301
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-23 04:04:39
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 WDC_WD3200AAJS-22B4A0 rev.01.03A01
Running: plb4ffs0.exe; Driver: C:\DOCUME~1\Buzzzzz\LOCALS~1\Temp\kgpyikog.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 21-Jan-11 5:22:42 PM
System Uptime: 23-Jan-11 3:46:18 AM (1 hours ago)

Motherboard: ASRock | | G31M-S.
Processor: Intel Pentium III Xeon processor | CPUSocket | 2493/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 250 GiB total, 160.253 GiB free.
D: is FIXED (NTFS) - 48 GiB total, 32.442 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP3: 23-Jan-11 3:36:45 AM - Jan23rd2011new motherboard

==== Installed Programs ======================


µTorrent
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Adobe Shockwave Player 11
Agere Systems PCI-SV92PP Soft Modem
Altysoft Free Video Converter 2.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian FLV Player
Avira AntiVir Personal - Free Antivirus
Bonjour
C-motech Connection Manager(CCU650)
Canon MP Navigator EX 3.0
Canon MP250 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CCleaner (remove only)
ClearType Tuning Control Panel Applet
CopyTrans Suite Remove Only
Everything 1.2.1.371
ffdshow [rev 735] [2007-01-02]
Foxit PDF Editor
Foxit Reader
GoodSync
Google Chrome
Google Earth
Google SketchUp 8
Google SketchUp Pro 7
Google Update Helper
GoogleDesktop
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotspot Shield 1.56
Image Resizer Powertoy for Windows XP
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 23
K-Lite Mega Codec Pack 4.1.6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MIKSOFT Mobile Media Converter
MobileMe Control Panel
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
Picasa 3
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype™ 4.0
Smart Defrag
Software Update for Web Folders
SopCast 3.2.9
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Switch Sound File Converter
Thai2English
The KMPlayer (remove only)
unikode for Thai
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
Veetle TV 0.9.18
WebFldrs XP
Windows Media Player Firefox Plugin
WinX DVD Author 5.5.8
ZoneAlarm
ZoneAlarm Toolbar

==== Event Viewer Messages From Past Week ========

23-Jan-11 3:45:07 AM, error: Service Control Manager [7034] - The NMSAccessU service terminated unexpectedly. It has done this 1 time(s).
23-Jan-11 3:45:07 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
23-Jan-11 3:45:07 AM, error: Service Control Manager [7031] - The Hotspot Shield Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
23-Jan-11 3:45:07 AM, error: Service Control Manager [7031] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
23-Jan-11 3:45:07 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
23-Jan-11 3:22:16 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: General access denied error
22-Jan-11 6:43:23 AM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0025228F65F7 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
22-Jan-11 5:27:48 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
21-Jan-11 5:23:41 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
21-Jan-11 5:19:27 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
16-Jan-11 12:11:20 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
16-Jan-11 12:11:14 AM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0021853BFF19 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================



DDS (Ver_10-12-12.02) - NTFSx86
Run by Buzzzzz at 4:09:06.98 on 23-Jan-11
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3318.2739 [GMT 7:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Buzzzzz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local;*.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.78.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [Google Update] "c:\documents and settings\buzzzzz\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\buzzzzz\applic~1\mozilla\firefox\profiles\jjg4pz97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.bramjnet.com/vb/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\cfxhelper@triton\components\dwmxpcom.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\buzzzzz\application data\mozilla\firefox\profiles\jjg4pz97.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\buzzzzz\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-16 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-5 532224]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-16 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-16 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-16 61960]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-5-26 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-5-26 493032]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2009-2-9 58352]
R3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2009-2-9 8304]
R3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2009-2-9 93904]
R3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2009-2-9 73696]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-21 133104]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2011-01-21 10:51:35 68096 ----a-w- c:\windows\agrsmdel.exe
2011-01-21 10:51:35 1149888 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2011-01-21 10:45:54 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2011-01-21 10:45:54 120064 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2011-01-21 10:45:06 34816 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-01-21 10:45:06 1389056 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-01-21 10:45:04 1684736 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-01-21 10:43:54 920088 ----a-r- c:\windows\system32\igxpun.exe
2011-01-21 10:43:54 319456 ----a-r- c:\windows\system32\difxapi.dll
2011-01-21 10:42:23 53248 ----a-r- c:\windows\system32\CSVer.dll
2011-01-21 10:42:07 -------- d-----w- C:\Intel
2011-01-21 10:21:59 23040 -c--a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2011-01-21 10:20:58 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
2011-01-21 10:17:24 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-01-21 10:17:24 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-01-21 10:16:46 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2011-01-21 10:16:46 32768 ----a-w- c:\program files\internet explorer\connection wizard\icwdl.dll
2011-01-21 10:16:45 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2011-01-21 10:16:45 86016 ----a-w- c:\program files\internet explorer\connection wizard\icwconn2.exe
2011-01-21 10:16:45 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2011-01-21 10:16:45 214528 ----a-w- c:\program files\internet explorer\connection wizard\icwconn1.exe
2011-01-21 10:16:45 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2011-01-21 10:16:45 20480 ----a-w- c:\program files\internet explorer\connection wizard\inetwiz.exe
2011-01-21 10:02:59 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-01-21 10:02:59 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-01-21 10:02:59 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-01-21 10:02:59 13312 ----a-w- c:\windows\system32\irclass.dll
2011-01-15 11:50:59 -------- d-sha-r- C:\cmdcons
2011-01-15 08:12:33 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-15 08:12:33 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-15 08:12:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-01-15 08:12:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\avg9
2011-01-15 08:12:06 -------- d-----w- c:\program files\Firefox
2011-01-15 08:12:06 -------- d-----w- c:\docume~1\buzzzzz\locals~1\applic~1\AVG Security Toolbar
2011-01-15 08:12:06 -------- d-----w- C:\$AVG
2011-01-13 19:56:24 -------- d---a-w- C:\cmdcons(2)
2011-01-08 10:48:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 10:48:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 10:48:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-25 20:26:38 -------- d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-11-12 11:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 09:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 4:10:01.89 ===============


cheers and thanks again,
Buzz

PS: my 5 month old Min-Pin 1kg puppy is powering - even with another cast on her leg - 2 weeks for a check-up ...

 

[Buzz]

duplicate of post #3 - deleted

 

[Buzz]

Hi Bobbye ... any news ?

 

[Bobbye]

Sorry Buzz- I misplaced the thread! Hope the puppy is getting along.
Please go ahead and run the following:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Puppy can help if neded!

 

[Buzz]

Here you go Bobbye ...

My 'pup' is almost there - check-up on Sunday ... getting big now ~ 2.2lbs last weigh-in !

Thanks,
Buzz

Eset log:

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
Operating memory a variant of Win32/HotSpotShield application


Combo log:

ComboFix 11-01-28.01 - Buzzzzz 29-Jan-11 2:55.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3318.2710 [GMT 7:00]
Running from: c:\documents and settings\Buzzzzz\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-21 10:54 . 2004-08-04 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-01-21 10:51 . 2006-01-26 13:35 68096 ----a-w- c:\windows\agrsmdel.exe
2011-01-21 10:51 . 2006-01-25 15:24 1149888 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2011-01-21 10:45 . 2009-01-22 08:25 120064 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2011-01-21 10:45 . 2009-01-16 14:45 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2011-01-21 10:45 . 2008-10-27 10:12 34816 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-01-21 10:45 . 2006-01-04 07:41 1389056 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-01-21 10:45 . 2008-08-05 12:10 1684736 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-01-21 10:43 . 2008-09-16 06:01 920088 ----a-r- c:\windows\system32\igxpun.exe
2011-01-21 10:43 . 2006-11-10 01:25 319456 ----a-r- c:\windows\system32\difxapi.dll
2011-01-21 10:42 . 2011-01-21 10:42 -------- d-----w- c:\program files\Intel
2011-01-21 10:42 . 2008-07-16 08:05 53248 ----a-r- c:\windows\system32\CSVer.dll
2011-01-21 10:42 . 2011-01-21 10:42 -------- d-----w- C:\Intel
2011-01-21 10:21 . 2004-08-04 12:00 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2011-01-21 10:20 . 2004-08-04 12:00 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
2011-01-21 10:17 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-01-21 10:17 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-01-21 10:16 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2011-01-21 10:16 . 2004-08-04 12:00 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll
2011-01-21 10:16 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2011-01-21 10:16 . 2004-08-04 12:00 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2011-01-21 10:16 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2011-01-21 10:16 . 2004-08-04 12:00 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
2011-01-21 10:16 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2011-01-21 10:16 . 2004-08-04 12:00 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe
2011-01-21 10:02 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-01-21 10:02 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-01-21 10:02 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-01-21 10:02 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\program files\Firefox
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\Buzzzzz\Local Settings\Application Data\AVG Security Toolbar
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- C:\$AVG
2011-01-08 10:48 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 10:48 . 2011-01-08 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-08 10:48 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-24 06:15 . 2009-11-16 09:03 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-11 06:23 . 2009-11-16 07:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-12 11:53 . 2010-05-22 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 09:34 . 2009-03-11 08:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

------- Sigcheck -------

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfcfiles.dll
[-] 2008-04-09 . 0A874046BB7B547864811CFF0DD19724 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8491008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 21:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-12 19:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2005-04-07 07:40 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-10 17:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 11:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 04:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 09:07 2260480 ----a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"RTHDCPL"=RTHDCPL.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-Sep-09 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-Sep-09 11:42 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16-Nov-09 4:03 PM 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26-May-10 8:35 PM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26-May-10 8:35 PM 493032]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21-Jul-09 11:48 PM 133104]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [09-Feb-09 3:51 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [09-Feb-09 3:51 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [09-Feb-09 3:51 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [09-Feb-09 3:51 PM 73696]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04-Aug-04 7:00 PM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-Sep-09 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003Core.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003UA.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2010-10-26 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-08-23 14:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {5EA7F988-C77D-4E9F-BD95-4DFB4D060C32} = 203.113.7.130 8.8.8.8
FF - ProfilePath - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.bramjnet.com/vb/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-29 02:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(1380)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(4036)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2011-01-29 03:01:47
ComboFix-quarantined-files.txt 2011-01-28 20:01

Pre-Run: 170,513,612,800 bytes free
Post-Run: 170,477,793,280 bytes free

Current=3 Default=3 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 6EE271378F831D89C28976F8541AFDAA

 

[Buzz]

Here is a couple of photo's of 'Roi'

 

[Bobbye]

That is one cute puppy! The red rubber chew toy next to him almost looks larger than he is! How did he break his leg? And didn't you say is was 2nd time? Thanks for the pictures.

Hey Buzz, I'll tell you something- I cannot get worried about Hotspot Shield when TechSpot offers it as a download! https://www.techspot.com/downloads/4924-hotspot-shield.html
I don't see anything related to it being adware or other-openvpnas.exe is part of Hotspot Shield developed by AnchorFree Inc.>>>

But I found the following which explains why the scanners are picking it up:
This is Art from Hotspot Shield- marketing department in answer to a query about ads:

I wanted to bring to your notice that users don’t start seeing ads just by downloading/installing Hotspot Shield. They only see ad if they connect to Hotspot Shield. So, they are basically opting in to see the ads in exchange for using our services. We are very upfront about this to our users.

Once they disconnect, they go back to the normal browsing without any ad
insertion. User is informed that HotspotShield is supported by advertisements
before the download and at the start of each private browsing session.

More on this Security Site.

I think that sounds reasonable enough. They are giving you a free connection and for it, you agree to view their ads. So we're not going to remove any of it and will ignore the Eset entry,
=========================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.

File::
Folder::
c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\Buzzzzz\Local Settings\Application Data\AVG Security Toolbar
C:\$AVG
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Regarding Firefox extension Virtus Search:
Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
The page on virtus designs admits to changing a default search engine to Ask.com but doesn't give a way to opt out. It was installed with an update, possibly for theme AeroFox and update dropped it without your permission and included the extension
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
Please read the discussion about what happened here: http://www.virtusdesigns.com/?p=659

Regarding FF extensions Chromefox:
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton>>> CHROMIFOX COMPANION is now included with Chromifox Extreme themes.
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
http://forums.mozillazine.org/viewtopic.php?t=925605
===================================
I don't see any sign of TDss. Are you having any malware related problems?

 

[Buzz]

I was just about going for a kitesurf session and a 'tourist' was holding her - I called for her and she wriggled out of the ladies hands and dropped onto 1 leg - she then re-broke another smaller bone in the same leg - after being in a cast for almost 5 weeks - was feeling too 'frisky' and while on a very short walk, took 'off' after her no.1 boyfriend, who she hadn't been allowed to see for about 2 weeks, she must have hit a pothole or something ! She is just looooovely ...

No probs with HotSpot Shield then - I never see the ads anyway, as I use Adblock Plus in FF. It's nice just to connect when doing on-line banking or PayPal.
Thanks heaps for all the info.

Virtus Search & Chromefox extensions - I don't know anything about 'em - haven't had any probs as far as i know - should i need do anything ? (sorry, haven't had time to read the info URL's you provided)

Windows and my PC running fine ... no malware probs as far as i know...

Latest Combofix text file pasted below:

Last time my PC caught the 'flu', Broni advised me to run WOT, which has been absolutely great - do you have any similar recommendations ? (yr favourite top 5, must have 'freeware' programs ?)
I've got to do a Windows monthly up-date, and I want to get rid of heaps of duplicated files - back-up all data, and do a re-frag, as soon as you give me the all clear here.

(Being on a thai tropical island - i miss a lot of Aussie and other sports on TV ... i download a lot of 'footy' games using uTorrent and I do lots of 'live' on-line sport streaming to watch various games. I know it can be dangerous, but any protection advice muchly appreciated)


many thanks again, for your time and all the advice,
Buzz & 'Roi'

ComboFix 11-01-28.03 - Buzzzzz 29-Jan-11 18:51:36.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3318.2721 [GMT 7:00]
Running from: c:\documents and settings\Buzzzzz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Buzzzzz\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$AVG
c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\All Users\Application Data\avg9\Cfg\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\erd.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\malrep.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\falsealarm.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\krnlall.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\updateall.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\userall.cfg
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
c:\documents and settings\Buzzzzz\Local Settings\Application Data\AVG Security Toolbar

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))
.

2011-01-21 10:54 . 2004-08-04 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-01-21 10:51 . 2006-01-26 13:35 68096 ----a-w- c:\windows\agrsmdel.exe
2011-01-21 10:51 . 2006-01-25 15:24 1149888 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2011-01-21 10:45 . 2009-01-22 08:25 120064 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2011-01-21 10:45 . 2009-01-16 14:45 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2011-01-21 10:45 . 2008-10-27 10:12 34816 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-01-21 10:45 . 2006-01-04 07:41 1389056 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-01-21 10:45 . 2008-08-05 12:10 1684736 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-01-21 10:43 . 2008-09-16 06:01 920088 ----a-r- c:\windows\system32\igxpun.exe
2011-01-21 10:43 . 2006-11-10 01:25 319456 ----a-r- c:\windows\system32\difxapi.dll
2011-01-21 10:42 . 2011-01-21 10:42 -------- d-----w- c:\program files\Intel
2011-01-21 10:42 . 2008-07-16 08:05 53248 ----a-r- c:\windows\system32\CSVer.dll
2011-01-21 10:42 . 2011-01-21 10:42 -------- d-----w- C:\Intel
2011-01-21 10:21 . 2004-08-04 12:00 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2011-01-21 10:20 . 2004-08-04 12:00 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
2011-01-21 10:17 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-01-21 10:17 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-01-21 10:16 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2011-01-21 10:16 . 2004-08-04 12:00 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll
2011-01-21 10:16 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2011-01-21 10:16 . 2004-08-04 12:00 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2011-01-21 10:16 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2011-01-21 10:16 . 2004-08-04 12:00 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
2011-01-21 10:16 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2011-01-21 10:16 . 2004-08-04 12:00 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe
2011-01-21 10:02 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-01-21 10:02 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-01-21 10:02 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-01-21 10:02 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-01-15 08:12 . 2011-01-15 08:12 -------- d-----w- c:\program files\Firefox
2011-01-08 10:48 . 2010-12-20 11:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 10:48 . 2011-01-08 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-08 10:48 . 2010-12-20 11:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-24 06:15 . 2009-11-16 09:03 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-11 06:23 . 2009-11-16 07:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-12 11:53 . 2010-05-22 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 09:34 . 2009-03-11 08:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

------- Sigcheck -------

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfcfiles.dll
[-] 2008-04-09 . 0A874046BB7B547864811CFF0DD19724 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-01-28_19.59.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-29 07:40 . 2011-01-29 07:40 16384 c:\windows\Temp\Perflib_Perfdata_2e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8491008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 21:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-12 19:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2005-04-07 07:40 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-10 17:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 11:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 04:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 09:07 2260480 ----a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"RTHDCPL"=RTHDCPL.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-Sep-09 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-Sep-09 11:42 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16-Nov-09 4:03 PM 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26-May-10 8:35 PM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26-May-10 8:35 PM 493032]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21-Jul-09 11:48 PM 133104]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [09-Feb-09 3:51 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [09-Feb-09 3:51 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [09-Feb-09 3:51 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [09-Feb-09 3:51 PM 73696]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04-Aug-04 7:00 PM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-Sep-09 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 16:48]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003Core.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-507921405-725345543-1003UA.job
- c:\documents and settings\Buzzzzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-26 11:05]

2010-10-26 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-08-23 14:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {5EA7F988-C77D-4E9F-BD95-4DFB4D060C32} = 203.113.7.130 8.8.8.8
FF - ProfilePath - c:\documents and settings\Buzzzzz\Application Data\Mozilla\Firefox\Profiles\jjg4pz97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.bramjnet.com/vb/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-29 18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(1380)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2011-01-29 18:57:51
ComboFix-quarantined-files.txt 2011-01-29 11:57
ComboFix2.txt 2011-01-28 20:01

Pre-Run: 170,160,922,624 bytes free
Post-Run: 170,131,447,808 bytes free

Current=3 Default=3 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - EDFFE386F47F98DBB9ECC1E2075C6386

 

[Buzz]

...................................

 

[Bobbye]

Open Firefox> Tools> Add-ons> Choose Extensions at the top of the page> uninstall the following:

FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
Virtus Search & Chromefox extensions > If you didn't put them on, then they were bundled as mentioned..
Close, then reopen Firefox.
===========================================
As for File Sharing: "I know it can be dangerous, but any protection advice muchly appreciated)" File sharing in one of the main sources of malware. You can have good protection and still get infected:
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall any file sharing programs for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.[/li
  Please read the information on P2P Warning to help you better understand these dangers.
  ==================================
  Please update the Adobe Reader: Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

 

[Buzz]

Hi Bobbye ...

FF - Ext: Chromifox Companion: Uninstalled
FF - Ext: Chromifox Extreme: could not see it when I opened extensions ?
FF - Ext: Virtus Search Opt-in: Uninstalled
........................................................................................

Adobe reader updated to 9.4.1

I might delete it off my PC all together as you recommended, and just use Foxit reader - I can use it on my laptop to download this once-a-month thai phone account statement.

.............................................................................................

File sharing program - uTorrent - I understand what you say - looks like i will have to delete it. Actually, last nite I used it to start downloading a game from acrossthetasman.com (BEFORE getting your last reply about it) - that is the ONLY site I download from - but, download speed was too slow - so only downloaded about 5 % and gave up. I noticed this morning, when starting-up my PC it was a little slow loading. Now after reading your advice, would like to run a scan (MWAM or Super Anti-Spy) just in case - I await your further instruction. (when I re-started PC for the Adobe update - no probs, normal start-up time)

many thanks again,
Buzz

PS: My little 'Min-Pin' still has the fracture in smaller bone - another 3 weeks in the cast !

 

[Bobbye]

Sorry to see that little pup in a cast! Almost as big as he is!

There were just a couple of entries in Combofix I wanted to remove- you don't need to leave another log:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
Folder
c:\documents and settings\All Users\Application Data\AVG Security Toolbar
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . No need to leave.
====================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
Let me know if you have any more questions.

 

[Buzz]

All done Bobbye ... no further problems or questions that I can think of right now.

thanks heaps for all yr time & assistance,
Buzz & 'Roi'

 

[Bobbye]

You're welcome! Here are some tips to help you stay clean and safe!

Tips for added security and safer browsing:

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
   [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
   For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
   IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
   Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
   [o]Replace the Host Files
   MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
   
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
   
4. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   
5. Do regular Maintenance
   Remove Temporary Internet Files regularly:
   [o]ATF Cleaner by Atribune
   OR
   [o]TFC
   Disable and Enable System Restore:
   [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
   
6. Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Use a Site Advisor:
The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.

Give it a try- http://www.mywot.com/en/download

Pats to Roi!