Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started with Antispyware Soft virus fake scanner


  • This topic is locked This topic is locked
25 replies to this topic

#1 grg.clny

grg.clny

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 09 May 2010 - 10:53 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/315005/antispyware-soft-scanner-fake/ ~ OB

Avira detected the Soft virus. Everything seemed OK and then I had this.
I tried to update Adobe to 9.3 but when I did the install and I got this message:
ERROR 1402 Could not open Key HKEY_LOCAL_MACHINE_\Software\Micorsoft\Window ws\...\MFS- Verify you have sufficient access to that key.

Later Firefox locked up and Avira found: TR/FakeAV.KYW Trojan
I ran the quick scan for Malwarebytes and SAS and found nothing.
Then Avira picked up something with the detection description: Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

I tried to run GMER but my computer locked up.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ryan Mcspadden at 9:20:44.26 on Sun 05/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.214 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Jarte\Jarte.exe
C:\Documents and Settings\Ryan Mcspadden\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\person~1.lnk - c:\program files\broderbund\mavis beacon teaches typing 15\minimavis.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140380567780
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryanmc~1\applic~1\mozilla\firefox\profiles\2vsrkcq7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-26 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 68168]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-25 486280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-26 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-26 60936]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-4-18 3352944]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]

=============== Created Last 30 ================

2010-05-09 13:55:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Gosu
2010-04-28 21:24:45 0 d-----w- c:\program files\iPod
2010-04-28 21:24:27 0 d-----w- c:\program files\iTunes
2010-04-28 17:59:31 0 d-----w- c:\program files\Bonjour
2010-04-26 20:07:24 0 d-----w- c:\windows\system32\NtmsData
2010-04-26 19:48:31 0 d-----w- c:\docume~1\ryanmc~1\applic~1\Avira
2010-04-26 19:42:23 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-26 19:42:22 0 d-----w- c:\program files\Avira
2010-04-26 19:42:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-26 00:59:02 0 d-----w- c:\docume~1\ryanmc~1\applic~1\CheckPoint
2010-04-26 00:58:32 0 d-----w- c:\program files\CheckPoint
2010-04-26 00:58:19 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-26 00:57:21 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-26 00:57:21 0 d-----w- c:\windows\system32\ZoneLabs
2010-04-26 00:57:19 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-04-26 00:57:16 0 d-----w- c:\program files\Zone Labs
2010-04-26 00:56:10 0 d-----w- c:\windows\Internet Logs
2010-04-26 00:27:59 0 d-s---w- C:\Uninstall
2010-04-25 18:34:03 23920 ----a-w- c:\windows\system32\drivers\povrtdev.sys
2010-04-25 18:33:30 0 d-----w- c:\program files\common files\ffdshowEx
2010-04-25 18:33:29 0 d-----w- c:\program files\MediaMall
2010-04-25 18:33:29 0 d-----w- c:\program files\common files\TV-Websites
2010-04-25 18:33:05 0 d-----w- c:\docume~1\alluse~1\applic~1\MediaMall
2010-04-25 03:49:50 0 d-sha-r- C:\cmdcons
2010-04-24 22:22:17 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2010-04-24 22:22:17 19456 ----a-w- c:\windows\system32\dllcache\agt0401.dll
2010-04-20 12:51:03 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-19 21:57:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 21:57:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 18:40:10 0 ----a-w- c:\documents and settings\ryan mcspadden\defogger_reenable
2010-04-19 00:46:48 0 d-----w- c:\docume~1\ryanmc~1\applic~1\QuickScan
2010-04-15 00:06:47 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-15 00:04:59 0 d-----w- c:\program files\MSECACHE

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 16:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2005-11-13 14:42:03 251 ----a-w- c:\program files\wt3d.ini
2006-05-19 02:45:29 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:25:44.82 ===============

Attached Files


Edited by Orange Blossom, 09 May 2010 - 04:03 PM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:22 PM

Posted 11 May 2010 - 07:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 11 May 2010 - 12:27 PM

I ran DDS and I am posting new logs. I shut down Avira, disconnected from the Internet and disabled CD simulator. I tried to run GMER a couple of times and it locked up my computer. The only thing that has changed is IE searches are being misdirected along with Firefox Google searches.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ryan Mcspadden at 11:35:49.37 on Tue 05/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.360 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ryan Mcspadden\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\person~1.lnk - c:\program files\broderbund\mavis beacon teaches typing 15\minimavis.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140380567780
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryanmc~1\applic~1\mozilla\firefox\profiles\2vsrkcq7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-26 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 68168]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-25 486280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-26 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-26 60936]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-4-18 3352944]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]

=============== Created Last 30 ================

2010-05-10 16:53:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Gosu
2010-04-28 21:24:45 0 d-----w- c:\program files\iPod
2010-04-28 21:24:27 0 d-----w- c:\program files\iTunes
2010-04-28 17:59:31 0 d-----w- c:\program files\Bonjour
2010-04-26 20:07:24 0 d-----w- c:\windows\system32\NtmsData
2010-04-26 19:48:31 0 d-----w- c:\docume~1\ryanmc~1\applic~1\Avira
2010-04-26 19:42:23 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-26 19:42:22 0 d-----w- c:\program files\Avira
2010-04-26 19:42:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-26 00:59:02 0 d-----w- c:\docume~1\ryanmc~1\applic~1\CheckPoint
2010-04-26 00:58:32 0 d-----w- c:\program files\CheckPoint
2010-04-26 00:58:19 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-26 00:57:21 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-26 00:57:21 0 d-----w- c:\windows\system32\ZoneLabs
2010-04-26 00:57:19 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-04-26 00:57:16 0 d-----w- c:\program files\Zone Labs
2010-04-26 00:56:10 0 d-----w- c:\windows\Internet Logs
2010-04-26 00:27:59 0 d-s---w- C:\Uninstall
2010-04-25 18:34:03 23920 ----a-w- c:\windows\system32\drivers\povrtdev.sys
2010-04-25 18:33:30 0 d-----w- c:\program files\common files\ffdshowEx
2010-04-25 18:33:29 0 d-----w- c:\program files\MediaMall
2010-04-25 18:33:29 0 d-----w- c:\program files\common files\TV-Websites
2010-04-25 18:33:05 0 d-----w- c:\docume~1\alluse~1\applic~1\MediaMall
2010-04-25 03:49:50 0 d-sha-r- C:\cmdcons
2010-04-24 22:22:17 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2010-04-24 22:22:17 19456 ----a-w- c:\windows\system32\dllcache\agt0401.dll
2010-04-20 12:51:03 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-19 21:57:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 21:57:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 18:40:10 0 ----a-w- c:\documents and settings\ryan mcspadden\defogger_reenable
2010-04-19 00:46:48 0 d-----w- c:\docume~1\ryanmc~1\applic~1\QuickScan
2010-04-15 00:06:47 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-15 00:04:59 0 d-----w- c:\program files\MSECACHE

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 16:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2005-11-13 14:42:03 251 ----a-w- c:\program files\wt3d.ini
2006-05-19 02:45:29 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 11:40:12.81 ===============

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:22 PM

Posted 12 May 2010 - 07:42 AM

Hello grg.clny

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#5 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 12 May 2010 - 01:06 PM

I have gone through the 'How to see hidden files in Windows" for XP. I now have some transparent icons on my desktop. I know the Bleeping Computer site is really busy. Thanks for the help.

The latest item in the Avira quarantine has this description:

Type: File
Source: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\K2ACM28Y\2[1].php
Status: Infected
Quarantine object: 4e9d4e0c.qua
Restored: NO
Uploaded to Avira: NO
Operating System: Windows 2000/XP/VISTA Workstation
Search engine: 8.02.01.236
Virus definition file: 7.10.07.89
Detection: Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

Edited by grg.clny, 12 May 2010 - 01:54 PM.


#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:22 PM

Posted 16 May 2010 - 08:33 AM

Hello grg.clny,

I apoligize for the delay. I missed a notification.

Step. 1

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy
Step. 2

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please answer my question about the directory and include the following:

ComboFix.txt


Thanks!!
PW

#7 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 16 May 2010 - 05:57 PM

I disabled "tea timer" and I already had the Windows Recovery Console installed.
What was the directory question? (update Avira picked up something after the comofix scan. I am adding the description as an attachment.)
I downloaded Combo fix and ran it. Here are the results:

ComboFix 10-05-16.01 - Ryan Mcspadden 05/16/2010 17:05:42.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.514 [GMT -5:00]
Running from: c:\documents and settings\Ryan Mcspadden\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 21:38 . 2008-04-13 18:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2010-05-16 21:38 . 2008-04-13 18:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
2010-05-13 11:58 . 2010-05-13 13:56 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-08 17:00 . 2010-05-08 22:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-07 15:53 . 2010-05-07 15:53 -------- d-----w- c:\program files\NOS
2010-05-04 02:11 . 2010-05-04 14:11 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Local Settings\Application Data\lkmkrbnrd
2010-04-28 21:24 . 2010-04-28 21:24 -------- d-----w- c:\program files\iPod
2010-04-28 21:24 . 2010-04-28 21:25 -------- d-----w- c:\program files\iTunes
2010-04-28 17:59 . 2010-04-28 17:59 -------- d-----w- c:\program files\Bonjour
2010-04-26 21:21 . 2010-04-26 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira
2010-04-26 20:07 . 2010-05-08 14:36 -------- d-----w- c:\windows\system32\NtmsData
2010-04-26 19:48 . 2010-04-26 19:48 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Avira
2010-04-26 19:42 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-26 19:42 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-26 19:42 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-26 19:42 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-26 19:42 . 2010-04-26 19:42 -------- d-----w- c:\program files\Avira
2010-04-26 19:42 . 2010-04-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-26 00:59 . 2010-04-26 00:59 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\CheckPoint
2010-04-26 00:58 . 2010-04-26 00:58 -------- d-----w- c:\program files\CheckPoint
2010-04-26 00:58 . 2010-04-26 00:58 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-26 00:58 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-26 00:58 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-04-26 00:57 . 2010-04-26 00:58 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-26 00:57 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-26 00:57 . 2010-04-26 00:57 -------- d-----w- c:\program files\Zone Labs
2010-04-26 00:56 . 2010-05-16 22:16 -------- d-----w- c:\windows\Internet Logs
2010-04-26 00:27 . 2010-04-26 00:28 -------- d-----w- C:\Uninstall
2010-04-25 18:34 . 2010-02-24 19:11 23920 ----a-w- c:\windows\system32\drivers\povrtdev.sys
2010-04-25 18:33 . 2010-04-25 18:33 -------- d-----w- c:\program files\Common Files\ffdshowEx
2010-04-25 18:33 . 2010-04-25 18:33 -------- d-----w- c:\program files\MediaMall
2010-04-25 18:33 . 2010-04-25 18:33 -------- d-----w- c:\program files\Common Files\TV-Websites
2010-04-25 18:33 . 2010-05-04 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-04-24 22:22 . 2004-08-10 11:00 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2010-04-24 22:22 . 2004-08-10 11:00 19456 ----a-w- c:\windows\system32\dllcache\agt0401.dll
2010-04-20 12:51 . 2010-04-20 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-19 21:57 . 2010-04-25 03:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 21:57 . 2010-04-19 21:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 21:57 . 2010-04-20 12:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-19 02:48 . 2010-04-19 02:48 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-19 02:46 . 2010-05-07 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-19 00:46 . 2010-04-27 23:55 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\QuickScan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 22:17 . 2010-05-16 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Gosu
2010-05-16 22:14 . 2005-11-07 17:29 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-16 22:14 . 2005-11-07 17:29 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-16 21:30 . 2009-10-06 19:32 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Jarte
2010-05-16 21:16 . 2010-04-26 10:59 1776975 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-15 15:14 . 2008-05-18 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-15 15:14 . 2006-05-23 22:27 -------- d-----w- c:\program files\SpywareBlaster
2010-05-15 15:08 . 2006-05-21 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-15 15:08 . 2010-04-30 11:53 63488 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-15 15:08 . 2009-09-19 17:48 117760 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-11 17:07 . 2010-05-11 17:15 1717760 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-05-11 16:40 . 2010-05-11 17:15 119808 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-05-10 00:01 . 2007-04-10 17:37 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\U3
2010-05-08 14:47 . 2009-09-19 17:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 14:33 . 2010-05-08 14:33 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\woxcdv.dat
2010-05-08 03:28 . 2010-05-08 09:34 76800 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-05-07 16:00 . 2005-11-13 02:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-07 15:54 . 2010-05-07 15:54 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-07 02:14 . 2010-05-07 02:52 222208 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-30 14:23 . 2009-09-22 13:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2009-09-22 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-09-22 13:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 10:54 . 2010-04-29 11:47 517632 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2010-04-28 21:24 . 2007-06-30 04:36 -------- d-----w- c:\program files\Common Files\Apple
2010-04-28 21:14 . 2010-04-28 21:14 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe
2010-04-27 18:09 . 2008-05-20 03:00 -------- d-----w- c:\program files\CCleaner
2010-04-26 00:33 . 2006-08-07 23:01 41696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-26 00:33 . 2005-11-12 01:12 41696 ----a-w- c:\documents and settings\Ryan Mcspadden\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-25 17:05 . 2006-05-21 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 16:57 . 2006-09-30 09:26 -------- d-----w- c:\program files\QuickTime
2010-04-20 23:42 . 2006-08-13 23:15 -------- d-----w- c:\program files\Jarte
2010-04-20 21:38 . 2006-01-22 02:21 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Apple Computer
2010-04-20 12:45 . 2006-09-24 12:44 -------- d-----w- c:\program files\Apple Software Update
2010-04-18 00:35 . 2009-12-14 00:01 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\CameraWindowDC
2010-04-18 00:35 . 2009-12-05 17:11 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\ZoomBrowser EX
2010-04-15 03:10 . 2008-08-23 13:18 -------- d-----w- c:\program files\CleanUp!
2010-04-15 00:06 . 2010-04-15 00:06 3584 ----a-r- c:\documents and settings\Ryan Mcspadden\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-15 00:06 . 2010-04-15 00:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-15 00:06 . 2010-04-15 00:04 -------- d-----w- c:\program files\MSECACHE
2010-04-14 23:21 . 2006-02-18 03:01 -------- d-----w- c:\program files\Yahoo!
2010-04-13 20:58 . 2010-04-19 00:46 670696 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-13 20:58 . 2010-04-19 00:46 833960 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-11 02:38 . 2005-11-07 17:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-06 02:23 . 2010-03-20 22:19 -------- d-----w- c:\program files\Understanding Medical Coding - A Comprehensive Guide
2010-04-02 16:44 . 2010-03-23 21:45 -------- d-----w- c:\program files\StudyWare to accompany Correct Coding for Medicare Compliance and Reimbursement
2010-03-10 06:15 . 2005-08-16 10:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 05:41 . 2010-03-10 05:41 296008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-09 09:28 . 2008-12-12 22:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-11-07 17:05 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-08-16 10:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-11-13 14:42 . 2005-11-13 14:42 251 ----a-w- c:\program files\wt3d.ini
2004-08-10 11:00 . 2006-06-11 15:45 28672 ----a-w- c:\program files\mozilla firefox\plugins\custsat.dll
2006-05-10 03:26 . 2006-06-11 15:45 345088 ----a-w- c:\program files\mozilla firefox\plugins\mpvis.dll
2005-04-20 17:32 . 2006-06-11 15:45 47616 ----a-w- c:\program files\mozilla firefox\plugins\msoobci.dll
2008-04-25 19:32 . 2008-04-25 19:32 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2006-05-10 03:26 . 2006-06-11 15:45 87040 ----a-w- c:\program files\mozilla firefox\plugins\wmpband.dll
2006-05-10 02:02 . 2006-06-11 15:45 146432 ----a-w- c:\program files\mozilla firefox\plugins\wmpnssci.dll
2006-05-19 02:45 . 2005-11-18 04:53 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-7 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-9-20 2392064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 11:42 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/26/2010 2:42 PM 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 8:30 AM 476528]
R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [4/18/2010 3:36 PM 3352944]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Audacity_is1 - c:\documents and settings\Ryan Mcspadden\Desktop\Audacity\unins000.exe
AddRemove-Video mp3 Extractor_is1 - c:\documents and settings\Ryan Mcspadden\Desktop\Video mp3 Extractor\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 17:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(808)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(1084)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-16 17:23:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-16 22:23

Pre-Run: 41,086,910,464 bytes free
Post-Run: 41,024,921,600 bytes free

- - End Of File - - 566F816A9A163CBD0880D31232013B0F

Attached Files


Edited by grg.clny, 16 May 2010 - 06:48 PM.


#8 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 18 May 2010 - 09:49 PM

The Google searches seem to be fixed and going to the right website. Avria has picked up a second item since the ComboFix scan. I am going to copy and past the description here. I will not be able to respond to this thread again until Sunday.
I was not running an Avira scan when it detected this threat, but I did have Firefox open ?

Type: File
Source: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP22\A0011525.sys
Status: Infected
Quarantine object: 4e06417f.qua
Restored: NO
Uploaded to Avira: NO
Operating System: Windows 2000/XP/VISTA Workstation
Search engine: 8.02.01.242
Virus definition file: 7.10.07.116
Detection: Is the TR/Patched.Gen Trojan
Date/Time: 5/17/2010, 19:31

#9 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:22 PM

Posted 19 May 2010 - 03:30 AM

Hello grg.clny,

CODE
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\dmio.sys.vir_
This is in the Combofix quarintine folder and is harmless unless restored. We will clear it out later.

Do you know what this folder is?

c:\documents and settings\All Users\Application Data\Gosu

Step 1.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/315717/started-with-antispyware-soft-virus-fake-scanner/?p=1760491

Collect::
c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Folder::
c:\documents and settings\Ryan Mcspadden\Local Settings\Application Data\lkmkrbnrd

DirLook::
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

Step 2.

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.
Step 3.

I need you to run MBAM.
    Open MBAM
  • Click on the UpdateTab before performing a scan. Click on the Check for Updates button. If an update is found, the program will automatically update itself. After the update press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform full scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

In your next reply please advise about the Gosu folder and include the following:

ComboFix.txt
MBAM log

How is your computer running?


Thanks!!
PW

#10 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 25 May 2010 - 05:12 PM

Hey pwgib,

The Gosu folder is for PlayOn software that allows the Nintendo Wii to play videos from Hulu and Comedy Central on my TV. I am past my 13 day free trial and I may delete it. My Google searches are not being misdirected and everything seems to be working. Avira has not picked up anything since I last posted. Here are my logs:

ComboFix 10-05-24.07 - Ryan Mcspadden 05/25/2010 14:40:35.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.467 [GMT -5:00]
Running from: c:\documents and settings\Ryan Mcspadden\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan Mcspadden\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

file zipped: c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
file zipped: c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ryan Mcspadden\Local Settings\Application Data\lkmkrbnrd
c:\windows\system32\AbaleZip.dll
c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat

.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 19:34 . 2010-05-25 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Gosu
2010-05-16 21:38 . 2008-04-13 18:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2010-05-16 21:38 . 2008-04-13 18:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
2010-05-13 11:58 . 2010-05-13 13:56 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-08 17:00 . 2010-05-08 22:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-07 15:56 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-07 15:54 . 2010-05-07 15:54 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-07 15:53 . 2010-05-07 15:53 -------- d-----w- c:\program files\NOS
2010-04-30 11:53 . 2010-05-18 20:55 63488 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-04-28 21:24 . 2010-04-28 21:24 -------- d-----w- c:\program files\iPod
2010-04-28 21:24 . 2010-04-28 21:25 -------- d-----w- c:\program files\iTunes
2010-04-28 21:14 . 2010-04-28 21:14 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe
2010-04-28 17:59 . 2010-04-28 17:59 -------- d-----w- c:\program files\Bonjour
2010-04-26 21:21 . 2010-04-26 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira
2010-04-26 20:07 . 2010-05-08 14:36 -------- d-----w- c:\windows\system32\NtmsData
2010-04-26 19:48 . 2010-04-26 19:48 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Avira
2010-04-26 19:42 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-26 19:42 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-26 19:42 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-26 19:42 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-26 19:42 . 2010-04-26 19:42 -------- d-----w- c:\program files\Avira
2010-04-26 19:42 . 2010-04-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-26 00:59 . 2010-04-26 00:59 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\CheckPoint
2010-04-26 00:58 . 2010-04-26 00:58 -------- d-----w- c:\program files\CheckPoint
2010-04-26 00:58 . 2010-04-26 00:58 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-26 00:58 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-26 00:58 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-04-26 00:57 . 2010-04-26 00:58 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-26 00:57 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-26 00:57 . 2010-04-26 00:57 -------- d-----w- c:\program files\Zone Labs
2010-04-26 00:56 . 2010-05-25 19:35 -------- d-----w- c:\windows\Internet Logs
2010-04-26 00:27 . 2010-04-26 00:28 -------- d-----w- C:\Uninstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 19:14 . 2009-10-06 19:32 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Jarte
2010-05-25 19:06 . 2010-04-26 10:59 1055738 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-23 21:45 . 2006-05-21 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-23 21:38 . 2008-05-18 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-23 21:38 . 2006-05-23 22:27 -------- d-----w- c:\program files\SpywareBlaster
2010-05-18 20:55 . 2009-09-19 17:48 117760 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-11 17:07 . 2010-05-11 17:15 1717760 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-05-11 16:40 . 2010-05-11 17:15 119808 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-05-10 00:01 . 2007-04-10 17:37 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\U3
2010-05-08 14:47 . 2009-09-19 17:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 14:33 . 2010-05-08 14:33 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\woxcdv.dat
2010-05-08 03:28 . 2010-05-08 09:34 76800 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-05-07 16:04 . 2010-04-19 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 16:00 . 2005-11-13 02:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-07 02:14 . 2010-05-07 02:52 222208 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-05-04 17:21 . 2010-04-25 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-04-30 14:23 . 2009-09-22 13:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2009-09-22 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-09-22 13:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 10:54 . 2010-04-29 11:47 517632 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2010-04-28 21:24 . 2007-06-30 04:36 -------- d-----w- c:\program files\Common Files\Apple
2010-04-27 23:55 . 2010-04-19 00:46 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\QuickScan
2010-04-27 18:09 . 2008-05-20 03:00 -------- d-----w- c:\program files\CCleaner
2010-04-26 00:33 . 2006-08-07 23:01 41696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-26 00:33 . 2005-11-12 01:12 41696 ----a-w- c:\documents and settings\Ryan Mcspadden\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-25 18:33 . 2010-04-25 18:33 -------- d-----w- c:\program files\Common Files\ffdshowEx
2010-04-25 18:33 . 2010-04-25 18:33 -------- d-----w- c:\program files\MediaMall
2010-04-25 18:33 . 2010-04-25 18:33 -------- d-----w- c:\program files\Common Files\TV-Websites
2010-04-25 17:05 . 2006-05-21 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 16:57 . 2006-09-30 09:26 -------- d-----w- c:\program files\QuickTime
2010-04-25 03:40 . 2010-04-19 21:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-20 23:42 . 2006-08-13 23:15 -------- d-----w- c:\program files\Jarte
2010-04-20 21:38 . 2006-01-22 02:21 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Apple Computer
2010-04-20 12:52 . 2010-04-20 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-20 12:45 . 2006-09-24 12:44 -------- d-----w- c:\program files\Apple Software Update
2010-04-19 21:57 . 2010-04-19 21:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 02:48 . 2010-04-19 02:48 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-18 00:35 . 2009-12-14 00:01 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\CameraWindowDC
2010-04-18 00:35 . 2009-12-05 17:11 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\ZoomBrowser EX
2010-04-15 03:10 . 2008-08-23 13:18 -------- d-----w- c:\program files\CleanUp!
2010-04-15 00:06 . 2010-04-15 00:06 3584 ----a-r- c:\documents and settings\Ryan Mcspadden\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-15 00:06 . 2010-04-15 00:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-15 00:06 . 2010-04-15 00:04 -------- d-----w- c:\program files\MSECACHE
2010-04-14 23:21 . 2006-02-18 03:01 -------- d-----w- c:\program files\Yahoo!
2010-04-13 20:58 . 2010-04-19 00:46 670696 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-13 20:58 . 2010-04-19 00:46 833960 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-11 02:38 . 2005-11-07 17:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-06 02:23 . 2010-03-20 22:19 -------- d-----w- c:\program files\Understanding Medical Coding - A Comprehensive Guide
2010-04-02 16:44 . 2010-03-23 21:45 -------- d-----w- c:\program files\StudyWare to accompany Correct Coding for Medicare Compliance and Reimbursement
2010-03-10 06:15 . 2005-08-16 10:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 05:41 . 2010-03-10 05:41 296008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-09 09:28 . 2008-12-12 22:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2005-11-13 14:42 . 2005-11-13 14:42 251 ----a-w- c:\program files\wt3d.ini
2004-08-10 11:00 . 2006-06-11 15:45 28672 ----a-w- c:\program files\mozilla firefox\plugins\custsat.dll
2006-05-10 03:26 . 2006-06-11 15:45 345088 ----a-w- c:\program files\mozilla firefox\plugins\mpvis.dll
2005-04-20 17:32 . 2006-06-11 15:45 47616 ----a-w- c:\program files\mozilla firefox\plugins\msoobci.dll
2008-04-25 19:32 . 2008-04-25 19:32 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2006-05-10 03:26 . 2006-06-11 15:45 87040 ----a-w- c:\program files\mozilla firefox\plugins\wmpband.dll
2006-05-10 02:02 . 2006-06-11 15:45 146432 ----a-w- c:\program files\mozilla firefox\plugins\wmpnssci.dll
2006-05-19 02:45 . 2005-11-18 04:53 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} ----

2010-04-20 12:52 . 2010-04-28 21:25 2094 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxInstallLog.txt
2009-06-03 14:32 . 2009-06-03 14:32 7994 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\gearaspiwdmx86.cat
2009-05-18 18:48 . 2009-05-18 18:48 2763 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\GEARAspiWDM.inf
2009-05-18 18:17 . 2009-05-18 18:17 26600 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspiWDM.sys
2009-02-04 18:56 . 2009-02-04 18:56 75112 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe
2008-04-17 17:12 . 2008-04-17 17:12 107368 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspi.dll
2006-11-02 11:21 . 2006-11-02 11:21 319456 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxAPI.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-7 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-9-20 2392064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 11:42 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/26/2010 2:42 PM 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 8:30 AM 476528]
R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [4/18/2010 3:36 PM 3352944]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(812)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-05-25 14:51:54
ComboFix-quarantined-files.txt 2010-05-25 19:51
ComboFix2.txt 2010-05-16 22:24

Pre-Run: 40,265,871,360 bytes free
Post-Run: 40,217,288,704 bytes free

- - End Of File - - 6A6397695560F21A0C4FE3D5D63A1A2C
Upload was successful
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Ryan Mcspadden on 05/25/2010 at 15:06:59.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Ryan Mcspadden\Desktop\rkill.com


Rkill completed on 05/25/2010 at 15:07:03.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/25/2010 4:37:44 PM
mbam-log-2010-05-25 (16-37-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 205662
Time elapsed: 1 hour(s), 23 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Edited by grg.clny, 25 May 2010 - 05:14 PM.


#11 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:22 PM

Posted 29 May 2010 - 08:20 AM

Hi grg.clny,

Let's get a couple of final looks at your system.

Step 1.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Step 2.
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

In your next reply please include the following:

Eset scan results <<(Note: If nothing is found there will not be a report)
DDS logs <<(copy and paste the DDS.txt and attach the attach.txt log)



Thanks!!
PW

#12 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 29 May 2010 - 01:12 PM

Hi pwgib,

I tried to run ESET online scan but it would get to about 33% and stop. I waited over a half hour at one point and the scan would not continue.? I was able to run the DDS scan and I will post the results. Another problem I had forgotten about is when I try to update Adobe Reader 9.3 I get this error and I can't complete it:

ERROR 1402 Could not open Key HKEY_LOCAL_MACHINE_\Software\Micorsoft\Window ws\...\MFS- Verify you have sufficient access to that key.


Not sure why I can't update it. Thank you for your help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ryan Mcspadden at 12:57:50.33 on Sat 05/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.551 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ryan Mcspadden\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\person~1.lnk - c:\program files\broderbund\mavis beacon teaches typing 15\minimavis.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140380567780
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryanmc~1\applic~1\mozilla\firefox\profiles\2vsrkcq7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\ryan mcspadden\application data\mozilla\firefox\profiles\2vsrkcq7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-26 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-25 486280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-26 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-26 60936]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-4-18 3352944]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]

=============== Created Last 30 ================

2010-05-29 15:08:47 0 d-----w- c:\program files\ESET
2010-05-29 11:27:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Gosu
2010-05-28 16:36:15 0 d-sh--w- c:\docume~1\ryanmc~1\applic~1\.#
2010-05-25 21:52:55 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-25 21:52:55 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-16 21:38:32 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2010-05-16 21:38:32 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
2010-05-16 21:33:30 98816 ----a-w- c:\windows\sed.exe
2010-05-16 21:33:30 77312 ----a-w- c:\windows\MBR.exe
2010-05-16 21:33:30 256512 ----a-w- c:\windows\PEV.exe
2010-05-16 21:33:30 161792 ----a-w- c:\windows\SWREG.exe
2010-05-13 11:58:21 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-13 02:45:57 171 ----a-w- c:\windows\system32\MRT.INI

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 00:58:19 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2005-11-13 14:42:03 251 ----a-w- c:\program files\wt3d.ini
2006-05-19 02:45:29 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:00:50.27 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/11/2005 7:11:22 PM
System Uptime: 5/29/2010 6:25:00 AM (7 hours ago)

Motherboard: Dell Inc. | | 0YC523
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 36.939 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP14: 5/7/2010 11:09:36 AM - New Restore Point Kubrick
RP15: 5/8/2010 12:19:35 PM - System Checkpoint
RP16: 5/8/2010 9:54:16 PM - Removed Adobe Reader 8.1.2
RP17: 5/8/2010 9:54:33 PM - Installed Adobe Reader 9.3.
RP18: 5/10/2010 6:32:57 AM - System Checkpoint
RP19: 5/11/2010 8:23:23 AM - System Checkpoint
RP20: 5/12/2010 2:18:06 PM - System Checkpoint
RP21: 5/12/2010 9:41:16 PM - Software Distribution Service 3.0
RP22: 5/16/2010 4:33:57 PM - ComboFix created restore point
RP23: 5/17/2010 6:17:20 PM - System Checkpoint
RP24: 5/18/2010 7:19:18 PM - System Checkpoint
RP25: 5/23/2010 9:20:33 PM - System Checkpoint
RP26: 5/24/2010 9:37:43 PM - System Checkpoint
RP27: 5/25/2010 2:29:11 PM - Software Distribution Service 3.0
RP28: 5/26/2010 8:32:03 PM - Removed Adobe Reader 8.1.2
RP29: 5/26/2010 8:34:02 PM - Installed Adobe Reader 9.3.
RP30: 5/26/2010 8:46:01 PM - Removed Adobe Reader 8.1.2
RP31: 5/26/2010 8:46:10 PM - Installed Adobe Reader 9.3.
RP32: 5/28/2010 8:08:36 AM - System Checkpoint
RP33: 5/29/2010 8:21:24 AM - System Checkpoint
RP34: 5/29/2010 12:52:28 PM - Removed Adobe Reader 8.1.2
RP35: 5/29/2010 12:52:48 PM - Installed Adobe Reader 9.3.

==== Installed Programs ======================

321 Code It
Acrobat.com
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11.5
Amazon MP3 Downloader 1.0.5
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Bonjour
Brain Fitness Program
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Digital Camera Solution Disk 40-46 Software Starter Guide
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
CleanUp!
Conexant D850 56K V.9x DFVc Modem
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.1
Dell System Restore
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Digital Content Portal
Digital Line Detect
dj_taplugin
dj6940
EarthLink setup files
EducateU
ESET Online Scanner v3
eSupportQFolder
FLV Player 1.3.3
FullDPAppQFolder
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 6900 series
HP Extended Capabilities 6.0
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Product Assistant
HP Solution Center and Imaging Support Tools 6.0
HP Update
hpf_ProductContext
HPProductAssistant
InstantShareDevices
Intel Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
InterActual Player
Internet Explorer Default Page
IrfanView (remove only)
iTunes
Jarte 4.1
LP6940_Help
LP6940Trb
Macromedia Flash Player
Malwarebytes' Anti-Malware
MarketResearch
Mavis Beacon Teaches Typing 15
Medical Office Simulation Software (MOSS)
Medical Terminology for Health Professions
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Access 2000 Runtime
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Modem Helper
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NetZeroInstallers
PhotoGallery
PlayOn
PowerDVD 5.5
QuickTime
RandMap
Readme
Riva FLV Encoder 2.0
screensaver2004
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Sibelius Scorch (Firefox, Opera, Netscape only)
SkinsHP1
SolutionCenter
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Sound Blaster Audigy 2 ZS
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.3
Status
StudyWare to accompany Correct Coding for Medicare, Compliance
SUPERAntiSpyware Free Edition
TrayApp
Understanding Medical Coding - A Comprehensive Guide
Understanding Medical Coding - A Comprehensive Guide V2.2.0
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoLAN VLC media player 0.8.6a
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
ZoneAlarm
ZoneAlarm Toolbar

==== Event Viewer Messages From Past Week ========

5/25/2010 8:34:21 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
5/25/2010 8:08:35 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
5/25/2010 8:08:35 AM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:08:35 AM, error: Service Control Manager [7000] - The Canon Camera Access Library 8 service failed to start due to the following error: The system cannot find the file specified.
5/25/2010 2:21:05 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

==== End Of File ===========================


#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:22 PM

Posted 31 May 2010 - 04:19 PM

Hello grg.clny,

Do you know what this folder is?

c:\documents and settings\Ryan Mcspadden\Application Data\.#

Step 1.
  • Click "start" on the taskbar and then click on the "Control Panel" icon.
  • Please doubleclick the "Add or Remove Programs" icon
  • A list of programs installed will be "populated" this may take a bit of time.
  • If they exist, uninstall the following by clicking on the following entries and selecting "remove":
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1


Step 2.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

For Windows Vista you will need to turn off User Account Control
http://www.howtogeek.com/howto/windows-vis...-windows-vista/

Step 3.

We need to repair some of windows' internal registration settings
  1. Please download Dial-A-Fix from one of the following mirrors:
  2. Extract the zip file to your desktop.
  3. Double click Dial-a-Fix.exe to start the program.
  4. Press the green double checkmark box (Looks like this: )
  5. UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
  6. Press the Hammer Icon in the bottom right of the window.
  7. At the next window scroll down and hi-lite Repair permissions
  8. Push the GO button.
  9. When finished running Close the window.
  10. You should now be back to the main screen.
  11. When the window looks like this, press the GO button in the bottom of the window.
  12. Exit/Close Dial-A-Fix
Now try to install Adobe Reader 9.3

Step 4.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
DDS::
TB: {BA52B914-B692-46c4-B683-905236F6F655}
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88}

DirLook::
c:\documents and settings\Ryan Mcspadden\Application Data\.#


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply let me know about the folder, if you were successful in installing Adobe Reader 9.3 and please post ComboFix.txt

Thanks!!
PW

#14 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 03 June 2010 - 08:17 AM

I removed Adobe and then backed up the registry. When I ran Dial a fix it got "stopping Crypsvc" but it did not finish. I even waited over an hour one time and it did not complete.

I looked the c:\documents and settings\Ryan Mcspadden\Application Data\.#
The folder came up as a hidden. When i opened it was empty?
I am running the Combofix script now.

Here are the results:
ComboFix 10-05-24.07 - Ryan Mcspadden 06/03/2010 8:36.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -5:00]
Running from: c:\documents and settings\Ryan Mcspadden\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan Mcspadden\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-03 02:13 . 2010-06-03 02:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-31 18:30 . 2010-05-31 18:32 -------- d-----w- c:\program files\Understanding Medical Coding - A Comprehensive Guide
2010-05-31 18:24 . 2010-05-31 18:26 -------- d-----w- c:\program files\StudyWare to accompany Correct Coding for Medicare Compliance and Reimbursement
2010-05-29 15:08 . 2010-05-29 15:08 -------- d-----w- c:\program files\ESET
2010-05-28 16:36 . 2010-05-31 18:27 -------- d-sh--w- c:\documents and settings\Ryan Mcspadden\Application Data\.#
2010-05-27 01:35 . 2010-05-27 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-25 21:52 . 2010-06-03 02:49 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-25 21:52 . 2010-06-03 02:49 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-16 21:38 . 2008-04-13 18:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2010-05-16 21:38 . 2008-04-13 18:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
2010-05-13 11:58 . 2010-05-13 13:56 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-08 17:00 . 2010-05-08 22:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-07 15:53 . 2010-05-07 15:53 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 13:24 . 2005-11-13 02:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-03 11:07 . 2006-05-21 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-03 11:04 . 2008-05-18 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-03 11:04 . 2006-05-23 22:27 -------- d-----w- c:\program files\SpywareBlaster
2010-06-03 11:00 . 2010-04-26 10:59 1949181 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-06-02 02:34 . 2009-10-06 19:32 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Jarte
2010-06-01 17:22 . 2005-11-12 01:12 41696 ----a-w- c:\documents and settings\Ryan Mcspadden\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-31 12:55 . 2010-04-25 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-05-28 20:19 . 2008-05-20 03:00 -------- d-----w- c:\program files\CCleaner
2010-05-27 01:24 . 2010-04-19 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-26 01:37 . 2010-04-30 11:53 63488 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 01:36 . 2009-09-19 17:48 117760 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 01:34 . 2009-09-19 17:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-11 17:07 . 2010-05-11 17:15 1717760 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-05-11 16:40 . 2010-05-11 17:15 119808 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-05-10 00:01 . 2007-04-10 17:37 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\U3
2010-05-08 14:33 . 2010-05-08 14:33 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\woxcdv.dat
2010-05-08 03:28 . 2010-05-08 09:34 76800 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-05-07 02:14 . 2010-05-07 02:52 222208 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-30 14:23 . 2009-09-22 13:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2009-09-22 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-09-22 13:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 10:54 . 2010-04-29 11:47 517632 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2010-04-28 21:25 . 2010-04-28 21:24 -------- d-----w- c:\program files\iTunes
2010-04-28 21:24 . 2010-04-28 21:24 -------- d-----w- c:\program files\iPod
2010-04-28 21:24 . 2007-06-30 04:36 -------- d-----w- c:\program files\Common Files\Apple
2010-04-28 21:14 . 2010-04-28 21:14 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe
2010-04-28 17:59 . 2010-04-28 17:59 -------- d-----w- c:\program files\Bonjour
2010-04-27 23:55 . 2010-04-19 00:46 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\QuickScan
2010-04-26 21:21 . 2010-04-26 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira
2010-04-26 19:48 . 2010-04-26 19:48 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Avira
2010-04-26 19:42 . 2010-04-26 19:42 -------- d-----w- c:\program files\Avira
2010-04-26 19:42 . 2010-04-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-26 00:59 . 2010-04-26 00:59 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\CheckPoint
2010-04-26 00:58 . 2010-04-26 00:58 -------- d-----w- c:\program files\CheckPoint
2010-04-26 00:58 . 2010-04-26 00:58 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-26 00:57 . 2010-04-26 00:57 -------- d-----w- c:\program files\Zone Labs
2010-04-26 00:33 . 2006-08-07 23:01 41696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-25 17:05 . 2006-05-21 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 16:57 . 2006-09-30 09:26 -------- d-----w- c:\program files\QuickTime
2010-04-25 03:40 . 2010-04-19 21:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-20 23:42 . 2006-08-13 23:15 -------- d-----w- c:\program files\Jarte
2010-04-20 21:38 . 2006-01-22 02:21 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\Apple Computer
2010-04-20 12:52 . 2010-04-20 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-20 12:45 . 2006-09-24 12:44 -------- d-----w- c:\program files\Apple Software Update
2010-04-19 21:57 . 2010-04-19 21:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-18 00:35 . 2009-12-14 00:01 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\CameraWindowDC
2010-04-18 00:35 . 2009-12-05 17:11 -------- d-----w- c:\documents and settings\Ryan Mcspadden\Application Data\ZoomBrowser EX
2010-04-15 03:10 . 2008-08-23 13:18 -------- d-----w- c:\program files\CleanUp!
2010-04-15 00:06 . 2010-04-15 00:06 3584 ----a-r- c:\documents and settings\Ryan Mcspadden\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-15 00:06 . 2010-04-15 00:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-15 00:06 . 2010-04-15 00:04 -------- d-----w- c:\program files\MSECACHE
2010-04-14 23:21 . 2006-02-18 03:01 -------- d-----w- c:\program files\Yahoo!
2010-04-13 20:58 . 2010-04-19 00:46 670696 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-13 20:58 . 2010-04-19 00:46 833960 ----a-w- c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-11 02:38 . 2005-11-07 17:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15 . 2005-08-16 10:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 05:41 . 2010-03-10 05:41 296008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-09 09:28 . 2008-12-12 22:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2005-11-13 14:42 . 2005-11-13 14:42 251 ----a-w- c:\program files\wt3d.ini
2004-08-10 11:00 . 2006-06-11 15:45 28672 ----a-w- c:\program files\mozilla firefox\plugins\custsat.dll
2006-05-10 03:26 . 2006-06-11 15:45 345088 ----a-w- c:\program files\mozilla firefox\plugins\mpvis.dll
2005-04-20 17:32 . 2006-06-11 15:45 47616 ----a-w- c:\program files\mozilla firefox\plugins\msoobci.dll
2008-04-25 19:32 . 2008-04-25 19:32 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2006-05-10 03:26 . 2006-06-11 15:45 87040 ----a-w- c:\program files\mozilla firefox\plugins\wmpband.dll
2006-05-10 02:02 . 2006-06-11 15:45 146432 ----a-w- c:\program files\mozilla firefox\plugins\wmpnssci.dll
2006-05-19 02:45 . 2005-11-18 04:53 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Ryan Mcspadden\Application Data\.# ----



((((((((((((((((((((((((((((( SnapShot@2010-05-25_19.48.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-04 02:39 . 2010-05-27 01:23 87702 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
- 2009-07-21 08:02 . 2009-07-21 08:02 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2010-05-05 14:05 . 2010-05-05 14:05 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
- 2009-07-21 06:59 . 2009-07-21 06:59 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2010-04-29 10:11 . 2010-04-29 10:11 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2010-05-05 14:38 . 2010-05-05 14:38 65816 c:\windows\system32\Adobe\Director\SWDNLD.EXE
- 2009-07-21 08:04 . 2009-07-21 08:04 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2010-05-05 14:07 . 2010-05-05 14:07 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
- 2005-08-16 10:27 . 2010-04-26 00:32 159544 c:\windows\system32\FNTCACHE.DAT
+ 2005-08-16 10:27 . 2010-06-01 22:31 159544 c:\windows\system32\FNTCACHE.DAT
+ 2010-04-29 10:11 . 2010-04-29 10:11 136568 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2010-05-05 14:05 . 2010-05-05 14:05 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2009-07-21 08:07 . 2009-07-21 08:07 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2010-05-05 14:36 . 2010-05-05 14:36 467224 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1157609.exe
- 2009-07-21 08:07 . 2009-07-21 08:07 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2010-05-05 14:08 . 2010-05-05 14:08 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2010-05-05 14:06 . 2010-05-05 14:06 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
- 2009-07-21 08:02 . 2009-07-21 08:02 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2010-04-29 10:11 . 2010-04-29 10:11 753152 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2010-05-05 14:05 . 2010-05-05 14:05 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2010-05-05 14:37 . 2010-05-05 14:37 213272 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2010-05-05 14:07 . 2010-05-05 14:07 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
- 2009-07-21 08:03 . 2009-07-21 08:03 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2010-06-01 01:06 . 2005-10-20 17:02 163328 c:\windows\ERDNT\5-31-2010\ERDNT.EXE
+ 2010-05-05 13:40 . 2010-05-05 13:40 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
- 2009-07-21 07:07 . 2009-07-21 07:07 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2010-04-29 10:11 . 2010-04-29 10:11 1975408 c:\windows\system32\Adobe\Shockwave 11\gt.exe
- 2009-07-21 07:12 . 2009-07-21 07:12 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2010-05-05 13:44 . 2010-05-05 13:44 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2010-06-01 01:06 . 2010-06-01 01:06 3633152 c:\windows\ERDNT\5-31-2010\Users\00000002\UsrClass.dat
+ 2010-06-01 01:06 . 2010-06-01 01:06 11501568 c:\windows\ERDNT\5-31-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-7 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-9-20 2392064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 11:42 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/26/2010 2:42 PM 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 8:30 AM 476528]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{149124ee-e57e-11dc-9e38-00123f799cd6}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2010-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Ryan Mcspadden\Application Data\Mozilla\Firefox\Profiles\2vsrkcq7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 08:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(820)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-03 08:43:37
ComboFix-quarantined-files.txt 2010-06-03 13:43
ComboFix2.txt 2010-05-25 19:56
ComboFix3.txt 2010-05-16 22:24

Pre-Run: 38,603,313,152 bytes free
Post-Run: 38,562,930,688 bytes free

- - End Of File - - EEEA0B5F653F253F77ED5A37E3693E01

Edited by grg.clny, 03 June 2010 - 08:49 AM.


#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:22 PM

Posted 04 June 2010 - 05:54 PM

Hello grg.clny,

QUOTE
When I ran Dial a fix it got "stopping Crypsvc" but it did not finish.

This is not unusual when Zone Alarm is installed. The reason for running Dial-A-Fix was to reset some settings to get the latest Adobe Reader installed. Were you able to uninstall Adobe Reader 8.1.2 and Adobe Reader 8.1.2 Security Update 1? Please go here and try updating again.
Note: Uncheck McAfee Security Scan Plus

Next, please right click and delete the copy of Combofix from your desktop. <<<Important

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Folder::
c:\documents and settings\Ryan Mcspadden\Application Data\.#


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please let me know about Adobe Reader and post C:\ComboFix.txt

Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users