Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple problems from an infection that has popups, warnings across top of webpage with too many viruses, and not loading certain profiles.


  • This topic is locked This topic is locked
7 replies to this topic

#1 bri2k

bri2k

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 07 January 2009 - 10:40 PM

Hello,

I am having multiple problems from what I believe is some sort of virus. I am getting random advertisement popups, warnings across the top of webpages with viruses found and need to scan, as well as the inability to load profiles including the administrator.

I have gone through all the steps prior to posting here and nothing has seemed to work. I was not able to turn on the firewall because when I tried to load the admin profile in safe mode, I just got the black screen with safe mode in the corners. Below is my txt document.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Brian at 22:25:43.14 on Wed 01/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1528 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {f704c48c-c6f6-575a-4f94-b764fe462cff}: {ffc264ef-467b-49f4-a575-6f6cc84c407f} - c:\windows\system32\kptdil.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DIGServices] c:\program files\espnruntime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\docume~1\admini~1\locals~1\temp\ntdll64.dll
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: kptdil.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\ip3s6ic5.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {055EA3B0-FD57-49CA-9447-7C16CF051533} - c:\windows\system32\config\systemprofile\local settings\application data\{055ea3b0-fd57-49ca-9447-7c16cf051533}\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-6 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-6 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-6 352920]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-6 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-6 155160]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-19 18560]

=============== Created Last 30 ================

2009-01-07 11:42 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 07:38 <DIR> --d----- c:\program files\Cobian Backup 8
2009-01-06 21:29 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-05 20:18 502 a------- c:\windows\system32\win32hlp.cnf
2009-01-05 20:18 111,616 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-05 20:17 1 a------- c:\windows\system32\uniq.tll
2009-01-05 20:17 1 a------- c:\windows\system32\test.ttt
2009-01-05 20:17 24,576 a------- c:\windows\system32\pcload.exe
2009-01-05 07:44 1,306,326 ---sh--- c:\windows\system32\ymcjqghr.ini
2009-01-05 07:44 133,632 a------- c:\windows\system32\kptdil.dll
2009-01-05 07:44 133,632 a------- c:\windows\system32\byaoehdg.dll
2009-01-05 07:42 50,176 a------- c:\windows\system32\efcDSLdc.dll
2008-12-30 21:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2008-12-30 07:51 87,608 a------- c:\docume~1\brian\applic~1\inst.exe
2008-12-30 07:51 217,127 a------- c:\windows\system32\drv43260.dll
2008-12-30 07:51 208,935 a------- c:\windows\system32\drv33260.dll
2008-12-30 07:51 176,165 a------- c:\windows\system32\drv23260.dll
2008-12-30 07:51 102,439 a------- c:\windows\system32\sipr3260.dll
2008-12-30 07:51 65,602 a------- c:\windows\system32\cook3260.dll
2008-12-30 07:51 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2008-12-30 07:51 626,688 a------- c:\windows\system32\vp7vfw.dll
2008-12-29 12:04 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-29 12:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-29 12:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Leapfrog
2008-12-29 12:01 <DIR> --d----- c:\program files\LeapFrog
2008-12-28 13:56 <DIR> --d----- C:\P90X
2008-12-28 13:52 <DIR> --d----- c:\program files\DVD Shrink
2008-12-14 13:56 <DIR> --d----- c:\program files\BatchPhoto

==================== Find3M ====================

2009-01-05 20:18 111,616 a------- c:\windows\system32\userinit.exe
2008-12-30 07:51 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-30 07:51 47,360 a------- c:\docume~1\brian\applic~1\pcouffin.sys
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-07 13:12 80,597,918 a------- C:\SYM_REGISTRY_BACKUP.reg
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-03-22 19:01 81,920 a------- c:\docume~1\brian\applic~1\ezpinst.exe

============= FINISH: 22:26:35.90 ===============


Thank you for any help,
Brian

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 09 January 2009 - 06:15 PM

Hello Brian and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Download LSPFix and extract it to your desktop.
Don't use it yet.
A tutorial on the use of thsi tool can be found here : http://www.bleepingcomputer.com/tutorials/using-lsp-fix-to-remove-spyware/

3. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

4. Run LSPFix.
Close all windows on your computer.
Double click on Lspfix to run it.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "ntdll64.dll" into the remove box using the >> button.
Press the Finish button.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 10 January 2009 - 09:40 AM

Hello and thank you for your help. Here are the log's from Gooredfix and Combo log:

Goored fix log:
GooredFix v1.8 by jpshortstuff
Log created at 08:57 on 10/01/2009 running Option #2 (Brian)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{055EA3B0-FD57-49CA-9447-7C16CF051533}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{055EA3B0-FD57-49CA-9447-7C16CF051533}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{055EA3B0-FD57-49CA-9447-7C16CF051533}\
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Failed.
->Delete on reboot... Set.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

=====Reboot=====


Combo Fix Log:
ComboFix 09-01-09.03 - Brian 2009-01-10 9:21:01.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1520 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090109-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian\Application Data\Google\T-Scan
c:\documents and settings\Brian\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Brian\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Brian\Application Data\Google\T-Scan\y.gif
c:\documents and settings\Brian\Application Data\inst.exe
c:\windows\system32\byaoehdg.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekancxbdano.sys
c:\windows\system32\efcDSLdc.dll
c:\windows\system32\kptdil.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekafjeepqtr.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekalyhmywkx.dll
c:\windows\system32\senekatqqgnvfg.dll
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\ymcjqghr.ini

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-07 22:14 . 2005-04-17 23:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-07 22:14 . 2005-04-17 23:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-07 22:14 . 2005-04-17 23:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-01-07 22:14 . 2009-01-07 22:16 <DIR> d-------- c:\documents and settings\Administrator
2009-01-07 14:33 . 2009-01-07 15:32 <DIR> d-------- c:\documents and settings\TEMP
2009-01-07 11:42 . 2009-01-07 11:42 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-07 07:38 . 2009-01-07 07:38 <DIR> d-------- c:\program files\Cobian Backup 8
2009-01-06 21:29 . 2009-01-06 21:29 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-06 21:29 . 2009-01-06 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 08:47 . 2009-01-06 08:47 <DIR> d-------- c:\program files\Alwil Software
2009-01-06 07:24 . 2009-01-06 07:24 <DIR> d-------- c:\program files\ERUNT
2009-01-05 20:28 . 2009-01-05 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 20:17 . 2009-01-05 20:17 24,576 --a------ c:\windows\system32\pcload.exe
2008-12-30 21:06 . 2008-12-30 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-30 07:51 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-12-30 07:51 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-12-30 07:51 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-12-30 07:51 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-12-30 07:51 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-12-30 07:51 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-12-30 07:51 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-12-29 12:05 . 2008-12-29 12:05 <DIR> d-------- c:\program files\DIFX
2008-12-29 12:04 . 2009-01-05 20:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 12:04 . 2008-12-29 12:05 110 --a------ c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-29 12:02 . 2008-12-29 12:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Leapfrog
2008-12-29 12:01 . 2008-12-29 16:47 <DIR> d-------- c:\program files\LeapFrog
2008-12-28 13:56 . 2008-12-28 13:56 <DIR> d-------- C:\P90X
2008-12-28 13:52 . 2008-12-28 13:52 <DIR> d-------- c:\program files\DVD Shrink
2008-12-28 13:52 . 2008-12-28 13:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-14 13:56 . 2008-12-14 13:57 <DIR> d-------- c:\program files\BatchPhoto

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 14:28 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-01-06 12:55 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2009-01-06 12:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-06 01:47 --------- d-----w c:\program files\Lavasoft
2009-01-04 13:40 --------- d-----w c:\documents and settings\Brian\Application Data\Vso
2008-12-30 13:15 --------- d-----w c:\documents and settings\Brian\Application Data\Azureus
2008-12-30 12:51 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-30 12:51 47,360 ----a-w c:\documents and settings\Brian\Application Data\pcouffin.sys
2008-12-30 12:50 --------- d-----w c:\program files\vso
2008-12-28 18:39 --------- d-----w c:\program files\DVDlab
2008-12-07 18:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-07 18:50 --------- d-----w c:\documents and settings\Brian\Application Data\Malwarebytes
2008-12-07 18:50 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 18:27 --------- d-----w c:\program files\Trend Micro
2008-12-07 18:12 80,597,918 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2007-03-23 00:01 81,920 ----a-w c:\documents and settings\Brian\Application Data\ezpinst.exe
.

((((((((((((((((((((((((((((( snapshot_2009-01-06_22.36.54.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-01-07 02:56:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-10 14:00:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-07 02:56:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-10 14:00:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-06 01:18:33 111,616 ----a-w c:\windows\system32\dllcache\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe
- 2009-01-06 01:18:00 111,616 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kptdil.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 09:23 202544 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 01:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-01-23 09:31 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-01-23 09:36 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 07:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 07:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
--a------ 2006-06-19 17:30 4796416 c:\program files\RitzPix E-Z Print & Share\OurPictures.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-04-17 23:47 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-06 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-06 20560]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-06-19 18560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43fd922b-6f90-11dc-af94-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-10 c:\windows\Tasks\begpehcr.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ffc264ef-467b-49f4-a575-6f6cc84c407f} - c:\windows\system32\kptdil.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
LSP: c:\docume~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 09:28:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\brss01a.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-10 9:32:48 - machine was rebooted [Brian]
ComboFix-quarantined-files.txt 2009-01-10 14:32:34
ComboFix2.txt 2009-01-07 03:37:29
ComboFix3.txt 2008-12-07 18:42:31

Pre-Run: 11,305,824,256 bytes free
Post-Run: 11,367,452,672 bytes free

263 --- E O F --- 2008-12-21 14:22:21


Thank you again for your help and if there is anything else I need to do, please advise.
Best,
Brian

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 10 January 2009 - 10:46 AM

Hello Brian,

1. Download LSPFix and extract it to your desktop.
DO NOT run it yet !!
A tutorial on this procedure can be found here : http://www.bleepingcomputer.com/tutorials/using-lsp-fix-to-remove-spyware/

2. Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\system32\ffkuz.dll
c:\windows\system32\pcload.exe
c:\windows\Tasks\begpehcr.job
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

3. Close all windows on your computer.
Double click on Lspfix to run it.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "ntdll64.dll" into the remove box using the >> button.
Press the Finish button.

Still having problems ?

Greetings,
Thunder

Edited by Thunder, 10 January 2009 - 10:46 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 10 January 2009 - 03:18 PM

Thank you again for your help. I haven't had any of the problems after the first fix, and here is the info from the second the fix. The only thing is when I ran combo fix again, I dropped the .txt file that you asked me to create in and when combofix loaded, it said there was a new version, did I want to get it. I clicked yes and then it ran it's thing. I wasn't sure the .txt file was then still loaded or not. Additionally, while on Combofix, it completed stage 50 and then said something along the lines of "'C:\Windows\System32 not a batch file or executable file or something along those lines. It was there for a long time. I hit enter and then it went to the reboot portion. Did I do something wrong?

Here is the combofix log:
ComboFix 09-01-10.01 - Brian 2009-01-10 14:45:47.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1565 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090110-0] *On-access scanning disabled* (Updated)

FILE ::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll
c:\windows\system32\ffkuz.dll
c:\windows\system32\pcload.exe
c:\windows\Tasks\begpehcr.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll
c:\windows\system32\ffkuz.dll
c:\windows\system32\java2.sys c:\windows\system32\snjava.dll
c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msexcl35.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\mstext35.dll
c:\windows\system32\msxbse35.dll
c:\windows\system32\pcload.exe
c:\windows\system32\rdocurs.dll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\begpehcr.job

.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-07 22:14 . 2005-04-17 23:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-07 22:14 . 2005-04-17 23:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-07 22:14 . 2005-04-17 23:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-01-07 22:14 . 2009-01-07 22:16 <DIR> d-------- c:\documents and settings\Administrator
2009-01-07 14:33 . 2009-01-07 15:32 <DIR> d-------- c:\documents and settings\TEMP
2009-01-07 07:38 . 2009-01-07 07:38 <DIR> d-------- c:\program files\Cobian Backup 8
2009-01-06 21:29 . 2009-01-06 21:29 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-06 21:29 . 2009-01-06 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 08:47 . 2009-01-06 08:47 <DIR> d-------- c:\program files\Alwil Software
2009-01-06 07:24 . 2009-01-06 07:24 <DIR> d-------- c:\program files\ERUNT
2009-01-05 20:28 . 2009-01-05 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-30 21:06 . 2008-12-30 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-30 07:51 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-12-30 07:51 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-12-30 07:51 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-12-30 07:51 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-12-30 07:51 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-12-30 07:51 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-12-30 07:51 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-12-29 12:05 . 2008-12-29 12:05 <DIR> d-------- c:\program files\DIFX
2008-12-29 12:04 . 2009-01-05 20:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 12:04 . 2008-12-29 12:05 110 --a------ c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-29 12:02 . 2008-12-29 12:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Leapfrog
2008-12-29 12:01 . 2008-12-29 16:47 <DIR> d-------- c:\program files\LeapFrog
2008-12-28 13:56 . 2008-12-28 13:56 <DIR> d-------- C:\P90X
2008-12-28 13:52 . 2008-12-28 13:52 <DIR> d-------- c:\program files\DVD Shrink
2008-12-28 13:52 . 2008-12-28 13:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-14 13:56 . 2008-12-14 13:57 <DIR> d-------- c:\program files\BatchPhoto

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-01-06 12:55 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2009-01-06 12:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-06 01:47 --------- d-----w c:\program files\Lavasoft
2009-01-04 13:40 --------- d-----w c:\documents and settings\Brian\Application Data\Vso
2008-12-30 13:15 --------- d-----w c:\documents and settings\Brian\Application Data\Azureus
2008-12-30 12:51 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-30 12:51 47,360 ----a-w c:\documents and settings\Brian\Application Data\pcouffin.sys
2008-12-30 12:50 --------- d-----w c:\program files\vso
2008-12-28 18:39 --------- d-----w c:\program files\DVDlab
2008-12-07 18:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-07 18:50 --------- d-----w c:\documents and settings\Brian\Application Data\Malwarebytes
2008-12-07 18:50 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 18:27 --------- d-----w c:\program files\Trend Micro
2008-12-07 18:12 80,597,918 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2007-03-23 00:01 81,920 ----a-w c:\documents and settings\Brian\Application Data\ezpinst.exe
.

((((((((((((((((((((((((((((( snapshot_2009-01-06_22.36.54.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-01-07 02:56:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-10 14:00:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-07 02:56:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-10 14:00:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-06 01:18:33 111,616 ----a-w c:\windows\system32\dllcache\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe
- 2009-01-06 01:18:00 111,616 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\userinit.exe
+ 2009-01-10 20:03:26 16,384 ----atw c:\windows\temp\Perflib_Perfdata_80.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 09:23 202544 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 01:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-01-23 09:31 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-01-23 09:36 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 07:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 07:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
--a------ 2006-06-19 17:30 4796416 c:\program files\RitzPix E-Z Print & Share\OurPictures.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-04-17 23:47 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-06 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-06 20560]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-06-19 18560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43fd922b-6f90-11dc-af94-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 15:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\brss01a.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-10 15:08:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 20:08:14
ComboFix2.txt 2009-01-10 14:32:50
ComboFix3.txt 2009-01-07 03:37:29
ComboFix4.txt 2008-12-07 18:42:31

Pre-Run: 11,127,644,160 bytes free
Post-Run: 11,292,172,288 bytes free

250 --- E O F --- 2008-12-21 14:22:21


Here is the DDS log:
DDS (Ver_09-01-07.01) - NTFSx86
Run by Brian at 15:10:40.57 on Sat 01/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1530 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090110-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DIGServices] c:\program files\espnruntime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\ip3s6ic5.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-6 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-6 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-6 155160]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-6 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-6 352920]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-19 18560]

=============== Created Last 30 ================

2009-01-10 09:07 161,792 a------- c:\windows\SWREG.exe
2009-01-10 09:07 98,816 a------- c:\windows\sed.exe
2009-01-07 07:38 <DIR> --d----- c:\program files\Cobian Backup 8
2009-01-06 21:29 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-30 21:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2008-12-30 07:51 217,127 a------- c:\windows\system32\drv43260.dll
2008-12-30 07:51 208,935 a------- c:\windows\system32\drv33260.dll
2008-12-30 07:51 176,165 a------- c:\windows\system32\drv23260.dll
2008-12-30 07:51 102,439 a------- c:\windows\system32\sipr3260.dll
2008-12-30 07:51 65,602 a------- c:\windows\system32\cook3260.dll
2008-12-30 07:51 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2008-12-30 07:51 626,688 a------- c:\windows\system32\vp7vfw.dll
2008-12-29 12:04 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-29 12:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-29 12:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Leapfrog
2008-12-29 12:01 <DIR> --d----- c:\program files\LeapFrog
2008-12-28 13:56 <DIR> --d----- C:\P90X
2008-12-28 13:52 <DIR> --d----- c:\program files\DVD Shrink
2008-12-14 13:56 <DIR> --d----- c:\program files\BatchPhoto

==================== Find3M ====================

2008-12-30 07:51 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-30 07:51 47,360 a------- c:\docume~1\brian\applic~1\pcouffin.sys
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-07 13:12 80,597,918 a------- C:\SYM_REGISTRY_BACKUP.reg
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-03-22 19:01 81,920 a------- c:\docume~1\brian\applic~1\ezpinst.exe

============= FINISH: 15:10:54.07 ===============


Please advise if anything else needs to be done. And thank you again.
Brian

Attached Files



#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 10 January 2009 - 06:51 PM

Hello Brian,

You did fine. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 10 January 2009 - 08:48 PM

Hi Thunder,

I have not had any problems since your fix. You all are amazing.

The only thing I do have problems with, but I don't think from anything malicious, is that my wife's profile will no longer load. It says there is a corrupt file and loads a generic profile. How would that happen? If that isn't within the realm of help from this place, no worries. I will google search it.

Best,
Brian

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 11 January 2009 - 06:32 AM

Glad we could help, Brian :thumbsup:

Since this is a malware forum, issues like corrupt user profiles are meant to be posted in the appropriate forum,
but in your case, I'd use this technique : http://support.microsoft.com/?scid=kb%3Ben...p;x=14&y=11 :)

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users