Kaspersky Reports Trojan (Zbot); Word, Other Progs Won't Run

[ppayzant]

Hope I have done this right. I posted last week, waited three days, Bumped, waited three more days, but didn't get any response. I know this is run by volunteers, and I hope they can help me.

My computer got suddenly very slow about ten days ago. Then programs stopped working. Clicking on the Word shortcut does not start the program. Other programs, when started, become "not responding" in Task Manager. Now, the Canon ZoomBrowser won't work. I suspect malware, but don't know what my next steps should be.

As instructed, I ran gmer.exe and rsit.exe. Rsit.exe did _not_ produce a minimized info.txt file. Here's the log:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Phil & Cindy at 2008-10-29 20:00:50
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 51 GB (66%) free of 78 GB
Total RAM: 1151 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:58 PM, on 29/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Phil & Cindy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Phil & Cindy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/webhp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.runescape.com
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/31.37/uploader2.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} -
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {76716694-EADA-4810-8C3B-4826328A317F} (SmartCouponPrinter Control) - http://content.dll1.com/Connectus/Sm...er20080612.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7980 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"a-squared"=C:\Program Files\a-squared Anti-Malware\a2guard.exe [2008-10-19 2782352]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
"nmctxth"=C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [2008-05-16 648504]
"nmapp"=C:\Program Files\Pure Networks\Network Magic\nmapp.exe [2008-05-21 451896]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-02-01 21898024]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SkinClock"=C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe [2008-09-11 1739264]
"NBJ"=C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe [2005-06-02 1957888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
[]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe

C:\Documents and Settings\Phil & Cindy\Start Menu\Programs\Startup
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Monte Cristo\Silverfall Demo\Silverfall.exe"="C:\Program Files\Monte Cristo\Silverfall Demo\Silverfall.exe:*:Enabled:Silverfall"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\NewSoft\Presto! PageManager 6\NetGroup.exe"="C:\Program Files\NewSoft\Presto! PageManager 6\NetGroup.exe:*:Disabled:NewSoft Network Group"
"C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd"="C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd:*:Enabled:Age of Empires II Expansion"
"C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD"="C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\Program Files\LEGO Media\Games\LEGO Chess\Lego Chess.exe"="C:\Program Files\LEGO Media\Games\LEGO Chess\Lego Chess.exe:*:Enabled:Lego Chess"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Games\Age of Empires III\age3.exe"="C:\Program Files\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires III"
"C:\Program Files\Microsoft Games\Halo\halo.exe"="C:\Program Files\Microsoft Games\Halo\halo.exe:*:Enabled:Halo"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe"="C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Platform Service"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. The whole world can talk for free."

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2008-10-28 23:24:50 ----D---- C:\Documents and Settings\Phil & Cindy\Application Data\Malwarebytes
2008-10-28 23:24:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-28 23:24:42 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-10-28 23:24:15 ----D---- C:\Documents and Settings\Phil & Cindy\Application Data\TrojanHunter
2008-10-28 20:51:47 ----R---- C:\WINDOWS\system32\streamhlp.dll
2008-10-28 20:51:46 ----D---- C:\Program Files\TrojanHunter 5.0
2008-10-26 19:34:29 ----D---- C:\rsit
2008-10-24 17:08:56 ----D---- C:\Program Files\MagicScore Music Software
2008-10-24 1048 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-23 22:48:41 ----D---- C:\Program Files\Trend Micro
2008-10-23 22:41:39 ----D---- C:\Program Files\SpywareBlaster
2008-10-23 20:16:51 ----D---- C:\Program Files\Panda Security
2008-10-22 21:50:22 ----SHD---- C:\Config.Msi
2008-10-21 21:38:51 ----D---- C:\WINDOWS\system32\IOSUBSYS
2008-10-21 20:13:41 ----D---- C:\Program Files\Machinist2DLL
2008-10-21 19:57:30 ----D---- C:\Program Files\Common Files\DVDnextCOPY2
2008-10-21 19:57:30 ----D---- C:\Program Files\Common Files\DistributeShield
2008-10-21 19:57:30 ----D---- C:\DVDneXtCopy
2008-10-21 19:57:26 ----D---- C:\Program Files\DVDneXtCOPY2
2008-10-16 03:11:19 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-16 03:11:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-16 03:10:51 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-16 03:08:58 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 03:08:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-16 03:03:41 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$
2008-10-06 19:45:20 ----D---- C:\Documents and Settings\Phil & Cindy\Application Data\SlySoft

======List of files/folders modified in the last 1 months======

2008-10-29 20:01:17 ----AD---- C:\WINDOWS\Temp
2008-10-29 19:46:56 ----A---- C:\WINDOWS\gmer.ini
2008-10-29 19:46:23 ----A---- C:\Documents and Settings\Phil & Cindy\Application Data\AtomicAlarmClock.ini
2008-10-29 19:45:33 ----D---- C:\Documents and Settings\Phil & Cindy\Application Data\Skype
2008-10-29 19:32:57 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-29 19:32:56 ----D---- C:\WINDOWS
2008-10-29 19:31:56 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-29 19:17:08 ----D---- C:\WINDOWS\system32
2008-10-29 18:54:30 ----D---- C:\WINDOWS\Prefetch
2008-10-29 18:47:23 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-29 18:36:36 ----HD---- C:\WINDOWS\inf
2008-10-29 18:36:36 ----D---- C:\WINDOWS\system32\drivers
2008-10-29 16:04:10 ----D---- C:\Documents and Settings\Phil & Cindy\Application Data\skypePM
2008-10-29 14:00:01 ----D---- C:\Program Files\a-squared Anti-Malware
2008-10-29 08:11:26 ----A---- C:\WINDOWS\win.ini
2008-10-29 08:05:35 ----AH---- C:\WINDOWS\system32\FFASTLOG.TXT
2008-10-29 07:14:33 ----N---- C:\WINDOWS\SchedLgU.Txt
2008-10-28 23:24:42 ----AD---- C:\Program Files
2008-10-26 15:47:30 ----A---- C:\WINDOWS\ODBCINST.INI
2008-10-26 15:47:28 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-10-26 15:47:13 ----D---- C:\WINDOWS\system
2008-10-26 15:46:53 ----RSD---- C:\WINDOWS\Fonts
2008-10-26 15:28:21 ----D---- C:\WINDOWS\Help
2008-10-25 21:46:32 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-25 21:38:18 ----AD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-10-25 20:52:54 ----A---- C:\WINDOWS\gmer.dll
2008-10-24 1050 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-24 1037 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-23 20:16:10 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-23 19:09:42 ----D---- C:\Program Files\Canon
2008-10-23 18:55:35 ----D---- C:\Documents and Settings\Phil & Cindy\Application Data\Canon
2008-10-23 07:13:28 ----D---- C:\Program Files\Common Files\Blizzard Entertainment
2008-10-23 07:00:58 ----D---- C:\Program Files\Troll
2008-10-22 23:02:34 ----D---- C:\Program Files\Theseus and the Minotaur
2008-10-22 21:58:56 ----D---- C:\Program Files\Super Cubes
2008-10-22 21:58:27 ----D---- C:\Program Files\IObit
2008-10-22 21:58:19 ----SHD---- C:\WINDOWS\Installer
2008-10-22 21:57:42 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-22 21:57:28 ----D---- C:\Program Files\Rock Legend
2008-10-22 21:56:55 ----D---- C:\Program Files\Realore
2008-10-22 21:54:53 ----D---- C:\Program Files\Jets'n'Guns GOLD
2008-10-22 21:50:58 ----D---- C:\Program Files\Astro Avenger 2
2008-10-22 21:50:46 ----D---- C:\Program Files\Around the World in 80 Days
2008-10-22 21:50:22 ----SD---- C:\WINDOWS\Tasks
2008-10-22 21:49:51 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-10-22 21:49:48 ----D---- C:\Program Files\Common Files
2008-10-22 20:32:09 ----D---- C:\WINDOWS\Debug
2008-10-21 22:03:34 ----D---- C:\Program Files\Microsoft Silverlight
2008-10-21 21:38:34 ----D---- C:\Program Files\Google
2008-10-20 12:55:40 ----A---- C:\WINDOWS\CSTBox.INI
2008-10-19 08:35:36 ----A---- C:\AILog.txt
2008-10-17 22:18:33 ----D---- C:\Program Files\Mozilla Firefox
2008-10-16 03:10:27 ----D---- C:\Program Files\Internet Explorer
2008-10-15 13:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-07 16:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-06 20:22:27 ----D---- C:\Program Files\SlySoft
2008-10-03 19:27:16 ----D---- C:\WINDOWS\.jagex_cache_32
2008-10-03 14:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-08-25 2432]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-08-25 2560]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2007-09-21 271360]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver; C:\WINDOWS\SYSTEM32\DRIVERS\CINEMSUP.SYS [2001-10-01 6144]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2007-09-21 18048]
R2 pnarp;Pure Networks Device Discovery Driver; C:\WINDOWS\system32\DRIVERS\pnarp.sys [2008-05-16 23992]
R2 purendis;Pure Networks Wireless Driver; C:\WINDOWS\system32\DRIVERS\purendis.sys [2008-05-16 25272]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-10-25 85969]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2004-10-21 13107]
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042mou.Sys [2004-10-21 54851]
R3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2004-10-21 71535]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys [2005-01-19 22016]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2004-10-22 53376]
R3 NVENET;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENET.sys [2004-01-29 93764]
R3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2004-10-22 413824]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 PID_0928;Labtec WebCam(PID_0928); C:\WINDOWS\system32\DRIVERS\LV561AV.SYS [2005-01-19 211712]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-03 701440]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2004-03-10 12953]
S3 KProcWatch;KProcWatch; \??\C:\WINDOWS\system32\drivers\KProcWatch.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 a2AntiMalware;a-squared Anti-Malware Service; C:\Program Files\a-squared Anti-Malware\a2service.exe [2008-10-19 418936]
R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-26 611664]
R2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2008-05-16 648504]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 UPHClean;User Profile Hive Cleanup; C:\Program Files\UPHClean\uphclean.exe [2005-04-27 241725]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-22 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
S3 nmraapache;Pure Networks Net2Go Service; C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [2008-05-21 12800]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

the Gmer.txt is attached.

Thanks for any assistance you can offer.

Phil

[sUBs]

Show me MBAM's logs

[ppayzant]

MBAM log:

Malwarebytes' Anti-Malware 1.30
Database version: 1334
Windows 5.1.2600 Service Pack 3

29/10/2008 12:28:08 AM
mbam-log-2008-10-29 (00-28-08).txt

Scan type: Quick Scan
Objects scanned: 57684
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[sUBs]

Hmm, those are harmless leftovers that MBAM removed. Nothing that should affect your machine like the way you described. Let's try a different scanner to see if we can uncover anything.


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[ppayzant]

Okay, that was fun. It didn't go exactly as described when I tried to load the Windows Recovery Console from my CD, but then I followed the directions for getting it from the MS web site, anf it seemed to work. Here's the ComboFix log and btw, I was also happy to make a PayPal contribution:

ComboFix 08-11-02.03 - Phil & Cindy 2008-11-02 19:21:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.619 [GMT -4:00]
Running from: C:\Documents and Settings\Phil & Cindy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Phil & Cindy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
Error: Cfolders.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-11-02 16:07 . 2008-11-02 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-02 16:07 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-11-02 16:07 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-11-01 13:10 . 2008-11-01 13:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-11-01 13:09 . 2008-11-01 13:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-11-01 13:09 . 2008-11-01 15:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-11-01 12:58 . 2008-11-01 12:58 <DIR> d-------- C:\Games
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Program Files\iTunes
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Program Files\iPod
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-01 12:32 . 2008-11-01 12:32 <DIR> d-------- C:\Program Files\Bonjour
2008-11-01 12:30 . 2008-11-01 12:31 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-11-01 12:30 . 2008-11-01 12:30 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-30 18:40 . 2008-11-02 15:57 141 --a------ C:\WINDOWS\system32\09wutili.sys
2008-10-30 18:39 . 2008-10-30 18:50 <DIR> d-------- C:\Program Files\WinUtilities
2008-10-29 19:59 . 2008-10-29 20:04 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\PowerHouse
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\TrojanHunter
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\Malwarebytes
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-10-28 22:11 . 2008-10-28 22:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-10-28 19:51 . 2008-10-29 18:36 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-10-27 14:58 . 2008-10-27 14:58 7,630 --a------ C:\WINDOWS\extend.dat
2008-10-26 18:34 . 2008-10-26 18:35 <DIR> d-------- C:\rsit
2008-10-24 16:08 . 2008-10-24 16:08 <DIR> d-------- C:\Program Files\MagicScore Music Software
2008-10-24 07:57 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 21:48 . 2008-10-23 21:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-23 21:41 . 2008-10-25 20:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-23 20:18 . 2008-10-23 20:18 2,302,017 --a------ C:\WINDOWS\system32\GPhotos.scr
2008-10-23 19:16 . 2008-10-29 19:21 <DIR> d-------- C:\Program Files\Panda Security
2008-10-21 20:38 . 2008-10-21 20:38 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2008-10-21 19:13 . 2008-10-21 19:13 <DIR> d-------- C:\Program Files\Machinist2DLL
2008-10-21 18:57 . 2008-10-21 19:43 <DIR> d-------- C:\Program Files\DVDneXtCOPY2
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\Program Files\Common Files\DVDnextCOPY2
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\Program Files\Common Files\DistributeShield
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\DVDneXtCopy
2008-10-15 06:53 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 06:52 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 06:52 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:52 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:52 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 06:52 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-06 18:45 . 2008-10-06 18:45 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\SlySoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 20:06 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\skypePM
2008-11-02 20:06 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\Skype
2008-11-01 16:31 --------- d-----w C:\Program Files\QuickTime
2008-10-29 22:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-29 17:00 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-10-26 00:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-26 00:38 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-10-23 22:09 --------- d-----w C:\Program Files\Canon
2008-10-23 21:55 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\Canon
2008-10-23 10:13 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-10-23 10:00 --------- d-----w C:\Program Files\Troll
2008-10-23 02:02 --------- d-----w C:\Program Files\Theseus and the Minotaur
2008-10-23 00:58 --------- d-----w C:\Program Files\Super Cubes
2008-10-23 00:58 --------- d-----w C:\Program Files\IObit
2008-10-23 00:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-23 00:57 --------- d-----w C:\Program Files\Rock Legend
2008-10-23 00:56 --------- d-----w C:\Program Files\Realore
2008-10-23 00:54 --------- d-----w C:\Program Files\Jets'n'Guns GOLD
2008-10-23 00:50 --------- d-----w C:\Program Files\Astro Avenger 2
2008-10-23 00:50 --------- d-----w C:\Program Files\Around the World in 80 Days
2008-10-22 01:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-22 00:38 --------- d-----w C:\Program Files\Google
2008-10-17 22:51 30 ----a-w C:\Documents and Settings\Phil & Cindy\jagex_runescape_preferences.dat
2008-10-06 23:22 --------- d-----w C:\Program Files\SlySoft
2008-09-28 15:45 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-09-23 23:04 --------- d-----w C:\Program Files\Atomic Alarm Clock
2008-09-21 17:08 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-21 17:08 --------- d--h--r C:\Documents and Settings\Phil & Cindy\Application Data\SecuROM
2008-09-18 09:43 --------- d-----w C:\Program Files\Marble Arena
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 23:26 --------- d-----w C:\Program Files\InterActual
2008-09-08 23:31 --------- d-----w C:\Program Files\AutoHotkey
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-29 13:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 12:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 07:46 74,752 ----a-w C:\WINDOWS\system32\msw3prt.dll
2008-08-28 07:46 104,960 ----a-w C:\WINDOWS\system32\win32spl.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-25 13:31 0 ----a-w C:\Program Files\temp01
2008-03-27 22:13 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2006-08-15 20:14 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-26 21:58 80 --sh--r C:\WINDOWS\system32\FF802AC291.dll
2007-02-11 19:43 624,725 --sha-w C:\WINDOWS\system32\rsetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SkinClock"="C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2005-06-02 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-10-19 2782352]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\Phil & Cindy\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2006-05-22 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 6144]
S3 KProcWatch;KProcWatch;C:\WINDOWS\system32\drivers\KProcWatch.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-11-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Phil & Cindy\Application Data\Mozilla\Firefox\Profiles\rjz2yl4p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 19:22:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-02 19:25:17
ComboFix-quarantined-files.txt 2008-11-02 23:24:58
ComboFix2.txt 2007-05-16 21:21:15

Pre-Run: 53,934,850,048 bytes free
Post-Run: 54,182,699,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

200 --- E O F --- 2008-11-01 19:04:12

[sUBs]

Quote:

Error: Cfolders.dat

This indicates an error with one of the routines. Give me a few minutes as I check it out

[sUBs]

Found it. It was catching the ampersand '&' from your username.
Please delete your existing copy of ComboFix & download a fresh copy from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Give it a run & then post the resultant log. I dont really expect it to find much different but let's not leave any stones uncovered.

[sUBs]

This next question is just to satisfy my own personal curiosity. Does your machine do this to you? The ampersand got ripped of the logon name for me.

[sUBs]

Quote:

Kaspersky Reports Trojan (Zbot)

Also tell me where you get this message. I see no signs of Zbot in your logs.

[ppayzant]

1) New ComboFix log:

ComboFix 08-11-02.04 - Phil & Cindy 2008-11-02 20:41:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.574 [GMT -4:00]
Running from: C:\Documents and Settings\Phil & Cindy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-11-02 16:07 . 2008-11-02 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-02 16:07 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-11-02 16:07 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-11-01 13:10 . 2008-11-01 13:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-11-01 13:09 . 2008-11-01 13:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-11-01 13:09 . 2008-11-01 15:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-11-01 12:58 . 2008-11-01 12:58 <DIR> d-------- C:\Games
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Program Files\iTunes
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Program Files\iPod
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-01 12:32 . 2008-11-01 12:32 <DIR> d-------- C:\Program Files\Bonjour
2008-11-01 12:30 . 2008-11-01 12:31 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-11-01 12:30 . 2008-11-01 12:30 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-30 18:40 . 2008-11-02 15:57 141 --a------ C:\WINDOWS\system32\09wutili.sys
2008-10-30 18:39 . 2008-10-30 18:50 <DIR> d-------- C:\Program Files\WinUtilities
2008-10-29 19:59 . 2008-10-29 20:04 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\PowerHouse
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\TrojanHunter
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\Malwarebytes
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-10-28 22:11 . 2008-10-28 22:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-10-28 19:51 . 2008-10-29 18:36 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-10-27 14:58 . 2008-10-27 14:58 7,630 --a------ C:\WINDOWS\extend.dat
2008-10-26 18:34 . 2008-10-26 18:35 <DIR> d-------- C:\rsit
2008-10-24 16:08 . 2008-10-24 16:08 <DIR> d-------- C:\Program Files\MagicScore Music Software
2008-10-24 07:57 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 21:48 . 2008-10-23 21:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-23 21:41 . 2008-10-25 20:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-23 20:18 . 2008-10-23 20:18 2,302,017 --a------ C:\WINDOWS\system32\GPhotos.scr
2008-10-23 19:16 . 2008-10-29 19:21 <DIR> d-------- C:\Program Files\Panda Security
2008-10-21 20:38 . 2008-10-21 20:38 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2008-10-21 19:13 . 2008-10-21 19:13 <DIR> d-------- C:\Program Files\Machinist2DLL
2008-10-21 18:57 . 2008-10-21 19:43 <DIR> d-------- C:\Program Files\DVDneXtCOPY2
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\Program Files\Common Files\DVDnextCOPY2
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\Program Files\Common Files\DistributeShield
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\DVDneXtCopy
2008-10-15 06:53 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 06:52 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 06:52 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:52 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:52 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 06:52 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-06 18:45 . 2008-10-06 18:45 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\SlySoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 00:34 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\Skype
2008-11-03 00:33 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\skypePM
2008-11-01 16:31 --------- d-----w C:\Program Files\QuickTime
2008-10-29 22:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-29 17:00 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-10-26 00:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-26 00:38 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-10-23 22:09 --------- d-----w C:\Program Files\Canon
2008-10-23 21:55 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\Canon
2008-10-23 10:13 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-10-23 10:00 --------- d-----w C:\Program Files\Troll
2008-10-23 02:02 --------- d-----w C:\Program Files\Theseus and the Minotaur
2008-10-23 00:58 --------- d-----w C:\Program Files\Super Cubes
2008-10-23 00:58 --------- d-----w C:\Program Files\IObit
2008-10-23 00:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-23 00:57 --------- d-----w C:\Program Files\Rock Legend
2008-10-23 00:56 --------- d-----w C:\Program Files\Realore
2008-10-23 00:54 --------- d-----w C:\Program Files\Jets'n'Guns GOLD
2008-10-23 00:50 --------- d-----w C:\Program Files\Astro Avenger 2
2008-10-23 00:50 --------- d-----w C:\Program Files\Around the World in 80 Days
2008-10-22 01:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-22 00:38 --------- d-----w C:\Program Files\Google
2008-10-17 22:51 30 ----a-w C:\Documents and Settings\Phil & Cindy\jagex_runescape_preferences.dat
2008-10-06 23:22 --------- d-----w C:\Program Files\SlySoft
2008-09-28 15:45 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-09-23 23:04 --------- d-----w C:\Program Files\Atomic Alarm Clock
2008-09-21 17:08 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-21 17:08 --------- d--h--r C:\Documents and Settings\Phil & Cindy\Application Data\SecuROM
2008-09-18 09:43 --------- d-----w C:\Program Files\Marble Arena
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 23:26 --------- d-----w C:\Program Files\InterActual
2008-09-08 23:31 --------- d-----w C:\Program Files\AutoHotkey
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-29 13:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 12:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 07:46 74,752 ----a-w C:\WINDOWS\system32\msw3prt.dll
2008-08-28 07:46 104,960 ----a-w C:\WINDOWS\system32\win32spl.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-25 13:31 0 ----a-w C:\Program Files\temp01
2008-03-27 22:13 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2006-08-15 20:14 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-26 21:58 80 --sh--r C:\WINDOWS\system32\FF802AC291.dll
2007-02-11 19:43 624,725 --sha-w C:\WINDOWS\system32\rsetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SkinClock"="C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2005-06-02 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-10-19 2782352]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\Phil & Cindy\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2006-05-22 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 6144]
S3 KProcWatch;KProcWatch;C:\WINDOWS\system32\drivers\KProcWatch.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-11-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Phil & Cindy\Application Data\Mozilla\Firefox\Profiles\rjz2yl4p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 20:44:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-02 20:47:01
ComboFix-quarantined-files.txt 2008-11-03 00:46:01
ComboFix2.txt 2008-11-02 23:25:18
ComboFix3.txt 2007-05-16 21:21:15

Pre-Run: 54,173,163,520 bytes free
Post-Run: 54,163,218,432 bytes free

188 --- E O F --- 2008-11-01 19:04:12


2)I'm running XP Home, so I don't see the same screen when I click on Start, but if I click "Log Off", then "Switch User" it shows "Phil & Cindy" as the only choice

3) I was running the Kaspersky online scanner . . . I don't have the Kaspersky program.

[sUBs]

Do you still have the log from Kaspersky? Did it mention names like these:

* ntos.exe
* oembios.exe
* twext.exe

If so, something else must have taken it out. If they were present, ComboFix should find them.


-----------


There are a few files that I like a closer look at.

* C:\WINDOWS\system32\FF802AC291.dll
* C:\WINDOWS\system32\rsetup.exe

Please do this ....

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@ECHO OFF
CD /D "%~DP0"
FOR %%G IN (
C:\WINDOWS\SYSTEM32\FF802AC291.DLL
C:\WINDOWS\SYSTEM32\RSETUP.EXE
) DO ZIP UPLOADTHIS %%G
DEL C:\PROGRA~1\temp01
DEL %0

Save this as Submit.bat Choose to "Save type as - All Files"
It should look like this:
Double click on Submit.bat & allow it to run
This will generate a archive on your desktop, UploadThis.zip
Kindly upload the file to this website > http://www.bleepingcomputer.com/subm....php?channel=4


------------

Quote:

------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

Are these your doing? They will cause script files to default to opening with Notepad.

[sUBs]

Quote:

C:\Program Files\WinUtilities

Is this related to WinUtilities Registry Cleaner ?

Please be advised that ALL Registry Cleaners are prone to causing massive damage/corruption to the Registry. The Registry is the single most important component in your Operating System. Once corrupted, the best recourse is to perform a wipe of the machine.

Unfortunately, the corruption is seldom evident immediately. They manifest themselves as inexplicable issues further down the road. If the tool has an undo function, exercise it now

[ppayzant]

1) sorry, don't have the Kaspersky log . . . but I don't recall seeing those names
2) UploadThis.zip uploaded
3) "Are these your doing?" Nope, at least not on purpose
4) WinUtilities uninstalled. I never ran the registry cleaner component of the program, for the reasons you cite. I am prepared to wipe my machine, but hope it doesn't come to that!

[sUBs]

Quote:

4) WinUtilities uninstalled. I never ran the registry cleaner component of the program, for the reasons you cite.

I don't really have anything against WinUtilities but Registry Cleaners do cause a lot of damage.

Quote:

1) sorry, don't have the Kaspersky log . . . but I don't recall seeing those names

Could I trouble you to re-do the Kaspersky Scan?

Quote:

3) "Are these your doing?" Nope, at least not on purpose

This shall reset them to default values.

Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Code:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\JSEFile\Shell\Open\Command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,53,00,\
  63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,\
  00,22,00,20,00,25,00,2a,00,00,00

[HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,53,00,\
  63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,\
  00,22,00,20,00,25,00,2a,00,00,00

[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,53,00,\
  63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,\
  00,22,00,20,00,25,00,2a,00,00,00

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry

Quote:

2) UploadThis.zip uploaded

Just finished looking at them.

rsetup.exe is the installer for ASCIIDoom. It's a game
FF802AC291.dll appears to be a data file masquerading as a DLL. Best delete it.


-------------


We'll see what Kaspersky brings back. While we wait, please tell me more of the machine's symptoms.

[ppayzant]

Sorry for the delayed reply - I didn't get an email notification of thread activity. Then yesterday, Outlook Express and IE7 both stopped working - no response when I double-clicked the shortcut icons, and no response when I went right to the .exe program files and double-clicked them. I did a system restore to when ComboFix was run (it sets a restore point, of course) and now both programs are working again. No earlier restore point would work. Still can't get Word to work, even after a re-install.

The new Kaspersky Online Scan log:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 04, 2008 01:03:25
Records in database: 1369257


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 85774
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:42:07

File name Threat name Threats count
C:\Documents and Settings\Phil & Cindy\Local Settings\Application Data\Identities\{64B9BD37-69EF-4BA3-A78D-C9041FAB378E}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.etp 1

The selected area was scanned.
-----------------------------------------------------------------------

I did the registry fix, but I don't know what you mean by "(don't forget to copy and paste REGEDIT4)"

I deleted FF802AC291.dll. Then I went to delete it from the Recycle Bin, and it wasn't there. That seemed odd.

Phil

[sUBs]

Quote:

Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.etp 1

Looks like ZBot never got infect your machine. Should be some junk mail that you deleted. Please empty Outlook Express' Deleted Item folder.

Quote:

Then yesterday, Outlook Express and IE7 both stopped working - no response when I double-clicked the shortcut icons, and no response when I went right to the .exe program files and double-clicked them. I did a system restore to when ComboFix was run (it sets a restore point, of course) and now both programs are working again. No earlier restore point would work. Still can't get Word to work, even after a re-install.

I suspect that it may be related to IE7. A reinstall of IE7 should do the trick.
Please uninstall IE7 from Control Panel > Add/Remove
Reboot once & then reinstall IE7 by downloading this > http://download.microsoft.com/downlo...XP-x86-enu.exe

[ppayzant]

Okay, IE7 reinstalled.

[sUBs]

How is it now?

[ppayzant]

Well, IE7 seems to be running fine. Should I go ahead and try to re-install the other programs that quit working? Word, Canon Zoombrowser, Canon Web Print, etc.

This morning's A-Squared scan log showed a "trace" - here's the log:
-----------------------------------------------------------------

a-squared Anti-Malware - Version 4.0
Last update: 2008-11-04 14:00:10

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 2008-11-05 03:00:02

Key: HKEY_USERS\S-1-5-21-73586283-776561741-725345543-1004\software\kazaa detected: Trace.Registry.KaZaA!A2

Scanned

Files: 90468
Traces: 525708
Cookies: 49
Processes: 35

Found

Files: 0
Traces: 1
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 2008-11-05 04:04:23
Scan time: 1:04:21
-----------------------------------------------------------------------

[sUBs]

Quote:

Should I go ahead and try to re-install the other programs that quit working? Word, Canon Zoombrowser, Canon Web Print, etc.

Yes, please do that. Let me know how it went

Kazaa was a popular P2P program but it's bundled with sponsor programs which are adware. Have you ever installed it on this machine?