rsyewell

Hi Reid,

Thanks for the reply, I am so grateful!

I ran Combofix (after installing the recovery console), the only hiccup was that the first time combofix ran, it rebooted my computer, but did not pick up where it left off after the reboot. So I ran it again, and I noticed it said it was deleting a particular .dll, and again rebooted my machine, but the second time, it did pick up where it left off. I'll post the log file below.

But first I just wanted to quickly say, upon first impressions, at the very least the symptom is gone, no more strange windows dialogue boxes when I boot up, which is very encouraging. If you could take a look at the log file to make sure the system looks good from where you're sitting I'd be forever grateful!

Sincere thanks!
RY

ComboFix 08-08-14.02 - Ryan 2008-08-14 21:22:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.668 [GMT -7:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\npptools.dll
C:\WINDOWS\system32\npptools.dll
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Ryan\Application Data\Adobe\crc.dat
C:\Documents and Settings\Ryan\Cookies\ryan@a.macworld[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@a.tomshardware[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@ads.pointroll[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@ads.revsci[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@clicktorrent[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@ehg-oreilly.hitbox[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@hb.pcworld[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@insightexpressai[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@machinima[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@popcap[3].txt
C:\Documents and Settings\Ryan\Cookies\ryan@track.bestbuy[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@www.pandasecurity[1].txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\npptools.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-10 17:17 . 2008-08-10 17:17 <DIR> d-------- C:\Program Files\Audacity
2008-08-10 16:32 . 2008-08-10 10:53 <DIR> d-------- C:\Program Files\McAfee
2008-08-10 15:43 . 2008-08-10 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-10 15:42 . 2008-08-10 15:42 <DIR> d-------- C:\Deckard
2008-08-10 14:17 . 2008-08-10 14:17 <DIR> d-------- C:\ie-spyad_zo
2008-08-10 14:14 . 2008-08-10 14:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-10 14:00 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-10 13:59 . 2008-08-10 13:59 <DIR> d-------- C:\Program Files\Panda Security
2008-08-10 13:06 . 2008-08-14 03:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-10 13:04 . 2008-08-10 13:04 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-10 13:03 . 2008-08-14 21:20 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Program Files\AVG
2008-08-10 13:03 . 2008-08-10 13:29 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\AVGTOOLBAR
2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-10 13:03 . 2008-08-10 13:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-10 12:25 . 2008-08-10 12:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-10 12:25 . 2008-08-10 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-10 11:57 . 2008-08-10 11:57 <DIR> d-------- C:\ConverterOutput
2008-08-10 11:56 . 2008-08-10 11:56 <DIR> d-------- C:\Program Files\Cucusoft
2008-08-10 11:56 . 2004-10-12 14:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-08-10 11:56 . 2004-10-12 14:46 1,761,280 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-08-10 11:56 . 2004-10-05 16:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-08-10 11:56 . 2004-10-12 14:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-08-10 11:56 . 2003-04-03 00:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-08-10 11:56 . 2004-10-04 01:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-08-10 11:27 . 2008-08-10 11:27 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-08-10 11:27 . 2008-07-03 23:34 860,160 --a------ C:\WINDOWS\system32\lameACM.acm
2008-08-10 11:27 . 2008-01-10 05:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-08-10 11:27 . 2004-01-25 09:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-08-10 11:27 . 2007-09-04 09:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-08-10 11:27 . 2008-01-10 05:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-08-10 11:27 . 2007-09-20 17:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-08-10 11:27 . 2008-06-12 11:36 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-08-10 11:27 . 2007-07-10 09:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-08-10 11:27 . 2007-10-03 08:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-08-10 11:27 . 2008-07-30 12:09 38 --a------ C:\WINDOWS\avisplitter.ini
2008-08-10 11:11 . 2008-08-10 11:11 <DIR> d-------- C:\Program Files\ffvfw
2008-08-10 10:49 . 2008-08-10 10:49 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Media Player Classic
2008-08-10 10:48 . 2008-08-10 10:48 <DIR> d-------- C:\Program Files\QuickTime Alternative
2008-08-10 10:48 . 2008-08-10 10:48 <DIR> d-------- C:\Program Files\Media Player Classic
2008-08-10 10:48 . 2007-04-27 09:42 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-08-10 10:48 . 2007-04-27 09:42 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-10 10:19 . 2008-08-10 10:19 <DIR> d-------- C:\Program Files\DirectShow Dump
2008-08-10 10:17 . 2008-08-10 10:17 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-08-10 10:02 . 2008-08-10 10:02 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\MPEG Streamclip
2008-08-10 09:58 . 2008-08-10 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-10 09:38 . 2008-08-10 09:38 <DIR> d-------- C:\Program Files\TiVo
2008-08-10 09:38 . 2008-08-10 09:38 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2008-08-10 09:38 . 2008-08-10 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TiVo
2008-08-10 09:34 . 2008-08-10 09:34 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-10 09:34 . 2008-08-10 09:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-04 09:26 . 2008-08-04 09:26 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-08-04 09:15 . 2008-08-04 09:15 <DIR> d-------- C:\Program Files\Handbrake

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 04:21 --------- d-----w C:\Documents and Settings\Ryan\Application Data\OpenOffice.org2
2008-08-14 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-14 08:18 --------- d-----w C:\Documents and Settings\Ryan\Application Data\StumbleUpon
2008-08-10 19:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-10 18:26 --------- d-----w C:\Program Files\DivX
2008-08-10 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-10 17:48 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Apple Computer
2008-08-10 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-10 17:44 --------- d-----w C:\Program Files\QuickTime
2008-08-10 16:58 --------- d-----w C:\Program Files\Apple Software Update
2008-08-04 16:13 --------- d-----w C:\Program Files\Audible
2008-07-11 06:04 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-11 06:04 --------- d-----w C:\Program Files\Java
2008-07-11 01:56 --------- d-----w C:\Program Files\Keybreeze
2008-07-11 01:56 --------- d-----w C:\Program Files\Citrix
2008-07-11 01:55 --------- d-----w C:\Program Files\GRETECH
2008-07-11 01:54 --------- d-----w C:\Program Files\Freeciv-2.1.1-gtk2
2008-07-11 01:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 01:46 --------- d-----w C:\Program Files\SuperTux
2008-07-11 01:46 --------- d-----w C:\Program Files\RocketDock
2008-07-11 01:41 --------- d-----w C:\Program Files\VisualTaskTips
2008-07-11 01:35 --------- d-----w C:\Program Files\Cities of Earth
2008-07-11 01:34 --------- d-----w C:\Program Files\MP3Gain
2008-07-11 01:32 --------- d-----w C:\Program Files\CursorXP
2008-07-11 01:32 --------- d-----w C:\Program Files\AoA Audio Extractor
2008-06-23 23:00 --------- d-----w C:\Program Files\Parallels
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-12-10 21:16 56,912 ----a-w C:\Documents and Settings\Ryan\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"Iconoid"="C:\Program Files\Iconoid\iconoid.exe" [2005-12-03 16:03 180736]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 11:03 868352]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-07-09 15:13 1189376]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2008-07-09 15:14 394240]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2008-07-09 15:15 1931264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-15 01:31 61440]
"CTCheck"="C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 11:08 397312]
"Parallels Tools"="C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe" [2007-12-19 15:03 2506864]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-10 13:03 1232152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= diomidi.dll
"wave2"= Digi32.dll
"vidc.fvfw"= ffvfw.dll
"msacm.avis"= ffvfw.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^Banshee Screamer Alarm.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\Banshee Screamer Alarm.lnk
backup=C:\WINDOWS\pss\Banshee Screamer Alarm.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^ePrompter.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\ePrompter.lnk
backup=C:\WINDOWS\pss\ePrompter.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=C:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-12 16:45 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-10 13:03]
R1 PrlNP;PrlNP;C:\WINDOWS\system32\DRIVERS\prlfs.sys [2007-12-19 14:07]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-10 13:03]
R2 cohrence;Parallels Coherence Service;C:\Program Files\Parallels\Parallels Tools\cohrence.exe [2007-12-19 15:04]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-10-24 18:38]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
R2 PrlTime;Parallels Time Synchronization Driver;C:\WINDOWS\system32\drivers\PrlTime.sys [2007-12-19 15:04]
R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-07-09 15:13]
R3 PCITG;PCITG;C:\WINDOWS\system32\drivers\pcitg.sys [2007-12-19 14:07]
R3 prleth;Parallels Network Adapter;C:\WINDOWS\system32\DRIVERS\prleth.sys [2007-12-19 15:04]
R3 PrlMouse;Parallels Mouse Synchronization Tool;C:\WINDOWS\system32\DRIVERS\PrlMouse.sys [2007-12-19 15:04]
R3 PrlVideo;PrlVideo;C:\WINDOWS\system32\DRIVERS\PrlVideo.sys [2007-12-19 15:04]
S2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 18:38]
S3 aapltctp;Apple Trackpad filter;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-10-19 12:15]
S3 aapltp;Apple Trackpad Driver;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2006-10-19 12:15]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-25 00:45]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 15:08]
S3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-26 18:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-Keybreeze - C:\Program Files\Keybreeze\Keybreeze.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\k3ctpazw.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.940.34809\npCIDetect11.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.6\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 21:28:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-14 21:33:05 - machine was rebooted [Ryan]
ComboFix-quarantined-files.txt 2008-08-15 04:32:56

Pre-Run: 10,395,586,560 bytes free
Post-Run: 10,311,380,992 bytes free

242 --- E O F --- 2008-08-10 20:39:48

Attached Files

	ComboFix.txt (16.7 KB, 4 views)
	dssscanwithhijackthislogaftercombofix.txt (21.4 KB, 4 views)