At startup, xp states cannot find 'Data\Adobe\Manager.exe'. Certain it's virus/trojan

[rsyewell]

Hi all,

Just recently I've been getting the below message dialogue boxes upon startup after the login window. For a very brief time I also noticed I was getting dialogue boxes telling me windows had detected virus and prompted me to goto websites, which I know windows wouldn't do. That hasn't come up recently, so I can't give more info, but I'm certain it's all some kind of virus/trojan. Please help if you can. Thanks. I'm also attaching the "extra" file for the DSS scan and the panda activescan log as instructed in the 5 steps before posting.

Here are the messages I get at startup.

Windows cannot find "C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Could not load or run "C:\Documents' specified in the registry. Make sure the file exists on your computer or remove the reference in the registry.

Windows cannot find 'and'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Could not load or run 'and' specified in the registry. Make sure the file exists on your computer or remove the reference in the registry.

Windows cannot find 'Settings\Ryan\Application'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Could not load or run 'Settings\Ryan\Application' specified in the registry. Make sure the file exists on your computer or remove the reference in the registry.

Windows cannot find 'Data\Adobe\Manager.exe". Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Could not load or run 'Data\Adobe\Manager.exe" specified in the registry. Make sure the file exists on your computer or remove the reference in the registry.

Here's the Hijack This/DSS Log

Deckard's System Scanner v20071014.68
Run by Ryan on 2008-08-10 15:42:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-08-10 22:42:31 UTC - RP223 - Deckard's System Scanner Restore Point
17: 2008-08-10 21:36:23 UTC - RP222 - Restore Operation
16: 2008-08-10 21:29:28 UTC - RP221 - Restore Operation
15: 2008-08-10 20:37:44 UTC - RP220 - Software Distribution Service 3.0
14: 2008-08-10 20:03:36 UTC - RP219 - Installed AVG Free 8.0


-- First Restore Point --
1: 2008-07-11 06:03:09 UTC - RP206 - Installed Java(TM) 6 Update 4


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:59 PM, on 8/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Iconoid\iconoid.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Documents and Settings\Ryan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: run="C:\Documents and Settings\Ryan\Application Data\Adobe\Manager.exe"
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Gold.Manager - {67956585-9B5C-4E2B-ABE1-A01BF3046EE1} - C:\WINDOWS\system32\gldman.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [Parallels Tools] C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\iconoid.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - Startup: AutorunsDisabled
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1173731787133
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5035/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Parallels Coherence Service (cohrence) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\cohrence.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 9584 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R2 KeyAgent - c:\windows\system32\drivers\keyagent.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R2 keymagic (USB Keyboard HID Filter) - c:\windows\system32\drivers\keymagic.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R2 PrlTime (Parallels Time Synchronization Driver) - c:\windows\system32\drivers\prltime.sys
R3 aapltctp (Apple Trackpad filter) - c:\windows\system32\drivers\aapltctp.sys <Not Verified; Apple Computer, Inc.; Apple Bootcamp for Windows>
R3 aapltp (Apple Trackpad Driver) - c:\windows\system32\drivers\aapltp.sys <Not Verified; Apple Computer, Inc.; Apple Bootcamp for Windows>

S1 PrlNP - c:\windows\system32\drivers\prlfs.sys <Not Verified; Parallels Software International, Inc.; Parallels Tools>
S3 PCITG - c:\windows\system32\drivers\pcitg.sys <Not Verified; Parallels Software International, Inc.; Parallels Tools>
S3 prleth (Parallels Network Adapter) - c:\windows\system32\drivers\prleth.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.5>
S3 PrlMouse (Parallels Mouse Synchronization Tool) - c:\windows\system32\drivers\prlmouse.sys <Not Verified; Parallels Software International, Inc.; Parallels Tools>
S3 PrlVideo - c:\windows\system32\drivers\prlvideo.sys <Not Verified; Parallels Software International, Inc.; Parallels Tools>
S3 StartupDiskDriver - c:\windows\system32\drivers\startupdiskdriver.sys <Not Verified; Apple Computer, Inc.; Startup Disk Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvidSDMService (Avid SDM Service) - system32\avidsdmservice.exe <Not Verified; Avid Technology, Inc.; Avid Technology, Inc. AvidSDMService>
R2 DigiRefresh (Digidesign MME Refresh Service) - c:\program files\digidesign\drivers\mmerefresh.exe -s <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign MME Binder>
R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

S2 AvidStartup (Avid Startup) - system32\avidstartup.exe <Not Verified; ; AvidStartup>
S2 cohrence (Parallels Coherence Service) - "c:\program files\parallels\parallels tools\cohrence.exe" <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.5>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0002\A
Manufacturer:
Name:
PNP Device ID: ACPI\APP0002\A
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Service:

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: USB Human Interface Device
Device ID: USB\VID_05AC&PID_8240\5&11730951&0&2
Manufacturer: (Standard system devices)
Name: USB Human Interface Device
PNP Device ID: USB\VID_05AC&PID_8240\5&11730951&0&2
Service: HidUsb

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0001\4&38462492&0
Manufacturer:
Name:
PNP Device ID: ACPI\APP0001\4&38462492&0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\IFX0101\1
Manufacturer:
Name:
PNP Device ID: ACPI\IFX0101\1
Service:


-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-10 16:32:41 0 d-------- C:\Program Files\McAfee
2008-08-10 15:43:49 0 d-------- C:\Program Files\Trend Micro
2008-08-10 14:17:35 0 d-------- C:\ie-spyad_zo
2008-08-10 14:14:46 0 d-------- C:\Program Files\SpywareBlaster
2008-08-10 13:59:53 0 d-------- C:\Program Files\Panda Security
2008-08-10 1341 0 d--h----- C:\$AVG8.VAULT$
2008-08-10 13:03:52 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-10 13:03:52 0 d-------- C:\Documents and Settings\Ryan\Application Data\AVGTOOLBAR
2008-08-10 13:03:36 0 d-------- C:\Program Files\AVG
2008-08-10 13:03:36 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-10 12:25:39 0 d-------- C:\Program Files\Lavasoft
2008-08-10 12:25:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-10 11:57:07 0 d-------- C:\ConverterOutput
2008-08-10 11:56:59 262144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-08-10 11:56:59 395776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-08-10 11:56:59 112640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-08-10 11:56:59 2255360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-08-10 11:56:57 0 d-------- C:\Program Files\Cucusoft
2008-08-10 11:27:56 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-08-10 11:27:54 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-08-10 11:27:54 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-08-10 11:27:53 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-08-10 11:27:53 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-08-10 11:27:51 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-08-10 11:11:09 0 d-------- C:\Program Files\ffvfw
2008-08-10 10:49:20 0 d-------- C:\Documents and Settings\Ryan\Application Data\Media Player Classic
2008-08-10 10:48:20 0 d-------- C:\Program Files\QuickTime Alternative
2008-08-10 10:48:20 0 d-------- C:\Program Files\Media Player Classic
2008-08-10 10:19:06 0 d-------- C:\Program Files\DirectShow Dump
2008-08-10 10:17:29 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-08-10 10:02:42 0 d-------- C:\Documents and Settings\Ryan\Application Data\MPEG Streamclip
2008-08-10 09:58:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-10 09:38:16 0 d-------- C:\Program Files\TiVo
2008-08-10 09:38:16 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-08-10 09:38:16 0 d-------- C:\Documents and Settings\All Users\Application Data\TiVo
2008-08-10 09:34:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-10 09:34:01 0 d-------- C:\Program Files\Common Files\McAfee
2008-08-04 09:26:54 0 d-------- C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-08-04 09:15:08 0 d-------- C:\Program Files\Handbrake
2008-07-10 23:04:27 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-10 22:50:48 0 d--h----- C:\WINDOWS\PIF
2008-07-10 18:32:14 0 d-------- C:\Themes


-- Find3M Report ---------------------------------------------------------------

2008-08-10 16:33:25 0 d-------- C:\Documents and Settings\Ryan\Application Data\StumbleUpon
2008-08-10 14:42:24 0 d-------- C:\Documents and Settings\Ryan\Application Data\OpenOffice.org2
2008-08-10 12:25:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-10 12:18:28 0 d-------- C:\Documents and Settings\Ryan\Application Data\Adobe
2008-08-10 11:26:53 0 d-------- C:\Program Files\DivX
2008-08-10 10:48:20 0 d-------- C:\Documents and Settings\Ryan\Application Data\Apple Computer
2008-08-10 10:44:10 0 d-------- C:\Program Files\QuickTime
2008-08-10 09:58:14 0 d-------- C:\Program Files\Apple Software Update
2008-08-10 09:38:16 0 d-------- C:\Program Files\Common Files
2008-08-04 09:13:31 0 d-------- C:\Program Files\Audible
2008-07-10 23:04:08 0 d-------- C:\Program Files\Java
2008-07-10 18:56:46 0 d-------- C:\Program Files\Keybreeze
2008-07-10 18:56:14 0 d-------- C:\Program Files\Citrix
2008-07-10 18:55:33 0 d-------- C:\Program Files\GRETECH
2008-07-10 18:54:43 0 d-------- C:\Program Files\Freeciv-2.1.1-gtk2
2008-07-10 18:51:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 18:46:41 0 d-------- C:\Program Files\SuperTux
2008-07-10 18:46:25 0 d-------- C:\Program Files\RocketDock
2008-07-10 18:41:47 0 d-------- C:\Program Files\VisualTaskTips
2008-07-10 18:35:14 0 d-------- C:\Program Files\Cities of Earth
2008-07-10 18:34:47 0 d-------- C:\Program Files\MP3Gain
2008-07-10 18:32:58 0 d-------- C:\Program Files\AoA Audio Extractor
2008-07-10 18:32:16 0 d-------- C:\Program Files\CursorXP
2008-06-24 09:21:43 0 d-------- C:\Documents and Settings\Ryan\Application Data\Mozilla
2008-06-24 00:35:58 0 d-------- C:\Program Files\Messenger
2008-06-24 00:34:45 0 d-------- C:\Program Files\Movie Maker
2008-06-24 00:31:29 0 d-------- C:\Program Files\Windows NT
2008-06-23 16:00:27 0 d-------- C:\Program Files\Parallels


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67956585-9B5C-4E2B-ABE1-A01BF3046EE1}]
C:\WINDOWS\system32\gldman.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
08/10/2008 01:03 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
07/23/2008 12:21 PM 120608 --a------ c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [08/10/2008 01:03 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [02/15/2006 01:31 AM]
"CTCheck"="C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [11/06/2007 11:08 AM]
"Parallels Tools"="C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe" [12/19/2007 03:03 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/13/2008 05:12 PM C:\WINDOWS\system32\bthprops.cpl]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/10/2008 01:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 05:12 PM]
"Iconoid"="C:\Program Files\Iconoid\iconoid.exe" [12/03/2005 04:03 PM]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [07/17/2007 11:03 AM]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [07/09/2008 03:13 PM]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [07/09/2008 03:14 PM]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [07/09/2008 03:15 PM]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 4:41:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^Banshee Screamer Alarm.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\Banshee Screamer Alarm.lnk
backup=C:\WINDOWS\pss\Banshee Screamer Alarm.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^ePrompter.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\ePrompter.lnk
backup=C:\WINDOWS\pss\ePrompter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=C:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keybreeze]
C:\Program Files\Keybreeze\Keybreeze.exe /a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 .psf


-- End of Deckard's System Scanner: finished at 2008-08-10 15:44:30 ------------

[rsyewell]

bump, please

I use my computer for many necessities, email, online banking, etc. I'm afraid to use it until this is solved. Any help in getting whatever rid of whatever is on my PC would be greatly appreciated. Thanks so much!
RY

[Ried]

Hello rsyewell and welcome,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

[rsyewell]

Hi Reid,

Thanks for the reply, I am so grateful!

I ran Combofix (after installing the recovery console), the only hiccup was that the first time combofix ran, it rebooted my computer, but did not pick up where it left off after the reboot. So I ran it again, and I noticed it said it was deleting a particular .dll, and again rebooted my machine, but the second time, it did pick up where it left off. I'll post the log file below.

But first I just wanted to quickly say, upon first impressions, at the very least the symptom is gone, no more strange windows dialogue boxes when I boot up, which is very encouraging. If you could take a look at the log file to make sure the system looks good from where you're sitting I'd be forever grateful!

Sincere thanks!
RY

ComboFix 08-08-14.02 - Ryan 2008-08-14 21:22:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.668 [GMT -7:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\npptools.dll
C:\WINDOWS\system32\npptools.dll
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Ryan\Application Data\Adobe\crc.dat
C:\Documents and Settings\Ryan\Cookies\ryan@a.macworld[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@a.tomshardware[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@ads.pointroll[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@ads.revsci[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@clicktorrent[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@ehg-oreilly.hitbox[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@hb.pcworld[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@insightexpressai[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@machinima[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@popcap[3].txt
C:\Documents and Settings\Ryan\Cookies\ryan@track.bestbuy[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@www.pandasecurity[1].txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\npptools.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-10 17:17 . 2008-08-10 17:17 <DIR> d-------- C:\Program Files\Audacity
2008-08-10 16:32 . 2008-08-10 10:53 <DIR> d-------- C:\Program Files\McAfee
2008-08-10 15:43 . 2008-08-10 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-10 15:42 . 2008-08-10 15:42 <DIR> d-------- C:\Deckard
2008-08-10 14:17 . 2008-08-10 14:17 <DIR> d-------- C:\ie-spyad_zo
2008-08-10 14:14 . 2008-08-10 14:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-10 14:00 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-10 13:59 . 2008-08-10 13:59 <DIR> d-------- C:\Program Files\Panda Security
2008-08-10 13:06 . 2008-08-14 03:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-10 13:04 . 2008-08-10 13:04 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-10 13:03 . 2008-08-14 21:20 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Program Files\AVG
2008-08-10 13:03 . 2008-08-10 13:29 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\AVGTOOLBAR
2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-10 13:03 . 2008-08-10 13:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-10 12:25 . 2008-08-10 12:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-10 12:25 . 2008-08-10 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-10 11:57 . 2008-08-10 11:57 <DIR> d-------- C:\ConverterOutput
2008-08-10 11:56 . 2008-08-10 11:56 <DIR> d-------- C:\Program Files\Cucusoft
2008-08-10 11:56 . 2004-10-12 14:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-08-10 11:56 . 2004-10-12 14:46 1,761,280 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-08-10 11:56 . 2004-10-05 16:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-08-10 11:56 . 2004-10-12 14:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-08-10 11:56 . 2003-04-03 00:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-08-10 11:56 . 2004-10-04 01:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-08-10 11:27 . 2008-08-10 11:27 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-08-10 11:27 . 2008-07-03 23:34 860,160 --a------ C:\WINDOWS\system32\lameACM.acm
2008-08-10 11:27 . 2008-01-10 05:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-08-10 11:27 . 2004-01-25 09:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-08-10 11:27 . 2007-09-04 09:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-08-10 11:27 . 2008-01-10 05:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-08-10 11:27 . 2007-09-20 17:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-08-10 11:27 . 2008-06-12 11:36 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-08-10 11:27 . 2007-07-10 09:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-08-10 11:27 . 2007-10-03 08:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-08-10 11:27 . 2008-07-30 12:09 38 --a------ C:\WINDOWS\avisplitter.ini
2008-08-10 11:11 . 2008-08-10 11:11 <DIR> d-------- C:\Program Files\ffvfw
2008-08-10 10:49 . 2008-08-10 10:49 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Media Player Classic
2008-08-10 10:48 . 2008-08-10 10:48 <DIR> d-------- C:\Program Files\QuickTime Alternative
2008-08-10 10:48 . 2008-08-10 10:48 <DIR> d-------- C:\Program Files\Media Player Classic
2008-08-10 10:48 . 2007-04-27 09:42 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-08-10 10:48 . 2007-04-27 09:42 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-10 10:19 . 2008-08-10 10:19 <DIR> d-------- C:\Program Files\DirectShow Dump
2008-08-10 10:17 . 2008-08-10 10:17 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-08-10 10:02 . 2008-08-10 10:02 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\MPEG Streamclip
2008-08-10 09:58 . 2008-08-10 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-10 09:38 . 2008-08-10 09:38 <DIR> d-------- C:\Program Files\TiVo
2008-08-10 09:38 . 2008-08-10 09:38 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2008-08-10 09:38 . 2008-08-10 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TiVo
2008-08-10 09:34 . 2008-08-10 09:34 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-10 09:34 . 2008-08-10 09:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-04 09:26 . 2008-08-04 09:26 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-08-04 09:15 . 2008-08-04 09:15 <DIR> d-------- C:\Program Files\Handbrake

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 04:21 --------- d-----w C:\Documents and Settings\Ryan\Application Data\OpenOffice.org2
2008-08-14 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-14 08:18 --------- d-----w C:\Documents and Settings\Ryan\Application Data\StumbleUpon
2008-08-10 19:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-10 18:26 --------- d-----w C:\Program Files\DivX
2008-08-10 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-10 17:48 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Apple Computer
2008-08-10 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-10 17:44 --------- d-----w C:\Program Files\QuickTime
2008-08-10 16:58 --------- d-----w C:\Program Files\Apple Software Update
2008-08-04 16:13 --------- d-----w C:\Program Files\Audible
2008-07-11 06:04 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-11 06:04 --------- d-----w C:\Program Files\Java
2008-07-11 01:56 --------- d-----w C:\Program Files\Keybreeze
2008-07-11 01:56 --------- d-----w C:\Program Files\Citrix
2008-07-11 01:55 --------- d-----w C:\Program Files\GRETECH
2008-07-11 01:54 --------- d-----w C:\Program Files\Freeciv-2.1.1-gtk2
2008-07-11 01:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 01:46 --------- d-----w C:\Program Files\SuperTux
2008-07-11 01:46 --------- d-----w C:\Program Files\RocketDock
2008-07-11 01:41 --------- d-----w C:\Program Files\VisualTaskTips
2008-07-11 01:35 --------- d-----w C:\Program Files\Cities of Earth
2008-07-11 01:34 --------- d-----w C:\Program Files\MP3Gain
2008-07-11 01:32 --------- d-----w C:\Program Files\CursorXP
2008-07-11 01:32 --------- d-----w C:\Program Files\AoA Audio Extractor
2008-06-23 23:00 --------- d-----w C:\Program Files\Parallels
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-12-10 21:16 56,912 ----a-w C:\Documents and Settings\Ryan\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"Iconoid"="C:\Program Files\Iconoid\iconoid.exe" [2005-12-03 16:03 180736]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 11:03 868352]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-07-09 15:13 1189376]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2008-07-09 15:14 394240]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2008-07-09 15:15 1931264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-15 01:31 61440]
"CTCheck"="C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 11:08 397312]
"Parallels Tools"="C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe" [2007-12-19 15:03 2506864]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-10 13:03 1232152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= diomidi.dll
"wave2"= Digi32.dll
"vidc.fvfw"= ffvfw.dll
"msacm.avis"= ffvfw.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^Banshee Screamer Alarm.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\Banshee Screamer Alarm.lnk
backup=C:\WINDOWS\pss\Banshee Screamer Alarm.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^ePrompter.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\ePrompter.lnk
backup=C:\WINDOWS\pss\ePrompter.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=C:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-12 16:45 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-10 13:03]
R1 PrlNP;PrlNP;C:\WINDOWS\system32\DRIVERS\prlfs.sys [2007-12-19 14:07]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-10 13:03]
R2 cohrence;Parallels Coherence Service;C:\Program Files\Parallels\Parallels Tools\cohrence.exe [2007-12-19 15:04]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-10-24 18:38]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
R2 PrlTime;Parallels Time Synchronization Driver;C:\WINDOWS\system32\drivers\PrlTime.sys [2007-12-19 15:04]
R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-07-09 15:13]
R3 PCITG;PCITG;C:\WINDOWS\system32\drivers\pcitg.sys [2007-12-19 14:07]
R3 prleth;Parallels Network Adapter;C:\WINDOWS\system32\DRIVERS\prleth.sys [2007-12-19 15:04]
R3 PrlMouse;Parallels Mouse Synchronization Tool;C:\WINDOWS\system32\DRIVERS\PrlMouse.sys [2007-12-19 15:04]
R3 PrlVideo;PrlVideo;C:\WINDOWS\system32\DRIVERS\PrlVideo.sys [2007-12-19 15:04]
S2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 18:38]
S3 aapltctp;Apple Trackpad filter;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-10-19 12:15]
S3 aapltp;Apple Trackpad Driver;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2006-10-19 12:15]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-25 00:45]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 15:08]
S3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-26 18:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-Keybreeze - C:\Program Files\Keybreeze\Keybreeze.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\k3ctpazw.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.940.34809\npCIDetect11.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.6\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 21:28:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-14 21:33:05 - machine was rebooted [Ryan]
ComboFix-quarantined-files.txt 2008-08-15 04:32:56

Pre-Run: 10,395,586,560 bytes free
Post-Run: 10,311,380,992 bytes free

242 --- E O F --- 2008-08-10 20:39:48

[Ried]

I am pleased to hear the system is behaving better for you.

I realize these online scans are time consuming, but I'd like you to run one more scan, this time at Kaspersky. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

[rsyewell]

Hi Reid,

Thanks for all your help!

Here's the results of the Kaspersky scan.

Hopefully that means all clear! :)

RY

[Ried]

Hi RY,

Yes, you're logs are clean, but we need to fix something first. A couple of legit files were removed and we need to put them back.

Open Notepad and copy/paste the text in the quote box below into it:

Quote:

SkipFix::
FCopy::
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\npptools.dll.vir | C:\WINDOWS\system32\dllcache\npptools.dll
C:\Qoobox\Quarantine\C:\WINDOWS\system32\npptools.dll | C:\WINDOWS\system32\npptools.dll.vir

Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt . Please return with the C:\ComboFix.txt so I may verify that the files have been properly replaced.

[rsyewell]

Hi Reid,

It's funny, I feel like I'm a blind man behind the wheel and you're in the passenger seat saying "turn here", "speed up", "stop there" :)

Thanks for all your help!
Here's the combofix.txt file.

How does it look?
Cheers,
RY

[Ried]

That's actually quite a good analogy, RY

I did have an error in my syntax for the one file--my apologies. We need to do this one more time.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

SkipFix::
FCopy::
C:\Qoobox\Quarantine\C\WINDOWS\system32\npptools.dll.vir | C:\WINDOWS\system32\npptools.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

While I am confident the move will have taken place properly, please post the C:\Combofix.txt again for review. After this, I'll have some final instructions for you.

[rsyewell]

Kewl,

Here's the second attempt... Computers/programming is finicky, you could have just one misstype among thousands of lines of instruction and just that one thing will mess it all up. Thanks for taking a closer look!

RY

[Ried]

That's better, everything is now as it should be. I appreciate your patience.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[rsyewell]

Hi Reid,

Thanks so much, yes, this thread is resolved for sure.

Just a quick question, I write a monthly article in a smallish distribution Australian PC Magazine called "PC Update". I write about free files, basically free software and tips for PC's. I was wondering if it would be OK to write about techsupportforum. A few years back, my IE got infected and wouldn't go online, and helpful people like yourself got me back up and running. I've had 2 very positive experiences, and would like to recommend this site to the readers of the magazine. If there's someone I should contact about this, please feel free to pass along my contact info, it's ryanyewell[at]elecplay[dot]c0m.

Below is a link to one of my articles in the magazine. I'm by no means any kind of expert, so all I would be writing about is my personal experience of having my butt saved twice by you all, which I am very grateful for!

Thanks,
RY

http://www.melbpc.org.au/pcupdate/28...8article12.htm

[Ried]

You're most welcome, RY.


In regard to referring TSF in an article, I would suggest you send a Personal Message to the owner of TSF, Jason and speak with him about it.


Your article is quite good, by the way.

Take care, my friend.