Suspected Malware

[raj1439]

Hi:

I'm pretty sure I have some sort of malware on my system. While most things function normally, I cannot access the Microsoft Update site (although I have been getting automatic updates), the ZoneAlarm update page, and, more recently, updates from Spybot S&D.

Here's my DDS.txt info:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Gaming at 14:10:41.93 on Fri 06/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1511 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090618-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Gaming\Desktop\CompFix 09\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: {4A368E80-174F-4872-96B5-0B27DDD11DB2} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll__BHODemonDisabled
BHO: This BHO has been disabled by BHODemon. - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - preview\TurbineDownloadManagerIcon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.windupdates.com/cab/180solutions/ie/bridge-c46.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120580575171
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220663692046
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4754/mcfscan.cab
TCP: {9ECAE540-BB66-4639-A8A5-F1ABAA718B5C} = 85.255.115.99 85.255.112.90
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gaming\applic~1\mozilla\firefox\profiles\uc8qycsx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {EB015E33-4E86-4798-AC9D-8B74588A6EAE} - c:\documents and settings\gaming\local settings\application data\{EB015E33-4E86-4798-AC9D-8B74588A6EAE}
FF - HiddenExtension: XUL Cache: {EFD28066-FE97-4E34-94C2-4A5E08B5FEE1} - c:\documents and settings\rich\local settings\application data\{efd28066-fe97-4e34-94c2-4a5e08b5fee1}\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-9-5 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-4-26 394952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-8-7 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-8-7 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-8-7 352920]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\rtvscan.exe --> c:\progra~1\symant~1\symant~1\Rtvscan.exe [?]
S3 NAVAP;NAVAP;\??\c:\progra~1\symant~1\symant~1\navap.sys --> c:\progra~1\symant~1\symant~1\NAVAP.sys [?]

=============== Created Last 30 ================

2009-06-19 13:47 <DIR> --dsh--- c:\documents and settings\gaming\PrivacIE
2009-06-19 13:23 <DIR> --dsh--- c:\documents and settings\gaming\IETldCache
2009-06-19 13:17 <DIR> -cd-h--- c:\windows\ie8
2009-06-08 20:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-08 20:19 <DIR> --d----- c:\program files\Bonjour
2009-06-03 18:41 <DIR> --d----- C:\OutputFolder
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-19 14:10 53,248,032 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-19 13:22 624,692 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-09-05 16:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 14:11:36.40 ===============

The zipped scan logs are attached.

Thanks in advance for your help.

[raj1439]

*bump*

Thanks!

[amateur]

Hello and welcome to TSF.

Please note that most of the time the fixes require more than one round to properly eradicate. Stay with me until you're given the "all clear", even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions in the order they are presented, and please do no self-fixing or running of scanners unless requested by me or another helper at this forum.

You still have some remnants of Symantec. Please use the instructions on this page to completely uninstall your Norton Products.

(note: this removes ALL Norton 2004/2005/2006/2007 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)

=========================

Download ResetTeaTimer

• and Save it to your Desktop.
• Double-click ResetTeaTimer.zip
• Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.
• A DOS window will open and close again, this is normal.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

=============================

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  
  You need to disable your AVAST Antivirus before running ComboFix, as it will prevent it from running.
  

  Right Click on the Avast icon in the system tray
  Click on Program Settings...
  Click on Troubleshooting
  Place a tick next to Disable avast! self-defense module
  Click OK
  At the prompt that appears, click Yes
  Right Click on the Avast icon in the system tray and click Stop On-Access protection
  At the prompt that appears, click Yes

  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-----------------------------------
Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

===========================

Next, please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

===========================

Please reply back with the Combofix.txt and the GooredLog.txt.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

[raj1439]

Hi amateur:

Thanks much for your help!

Here's the logs you requested. I followed all instructions in your post accurately.

ComboFix log:

ComboFix 09-06-23.01 - Gaming 06/24/2009 9:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1598 [GMT -4:00]
Running from: c:\documents and settings\Gaming\Desktop\CompFix 09\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090623-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BHO
c:\program files\BHO\BHODemon.exe
c:\program files\BHO\BHODemon.INI
c:\program files\BHO\BHODemon.LOG.XML
c:\program files\BHO\BHODemonHelp.html
c:\program files\BHO\bhodmon1.zip
c:\windows\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_OREANS32


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 14:30 . 2009-06-23 15:40 -------- d-----w- c:\documents and settings\Gaming\Application Data\dvdcss
2009-06-23 14:30 . 2009-06-23 15:48 -------- d-----w- c:\documents and settings\Gaming\Application Data\vlc
2009-06-23 14:28 . 2009-06-23 14:28 -------- d-----w- c:\program files\VideoLAN
2009-06-21 20:09 . 2009-06-21 20:09 -------- d-sh--w- c:\documents and settings\Gaming\IECompatCache
2009-06-19 17:47 . 2009-06-19 17:47 -------- d-sh--w- c:\documents and settings\Gaming\PrivacIE
2009-06-19 17:24 . 2009-06-19 17:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-19 17:23 . 2009-06-19 17:23 -------- d-sh--w- c:\documents and settings\Gaming\IETldCache
2009-06-19 17:17 . 2009-06-19 17:20 -------- dc-h--w- c:\windows\ie8
2009-06-09 00:22 . 2009-06-09 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-09 00:19 . 2009-06-09 00:19 -------- d-----w- c:\program files\Bonjour
2009-06-09 00:14 . 2009-06-09 00:15 -------- d-----w- c:\program files\QuickTime
2009-06-09 00:07 . 2009-06-09 00:07 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 22:41 . 2009-06-03 22:42 -------- d-----w- C:\OutputFolder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 13:42 . 2007-08-13 15:14 54218784 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-24 13:41 . 2007-08-15 01:41 213441869 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-24 13:40 . 2007-08-13 15:14 636380 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-19 22:47 . 2006-06-16 05:00 -------- d-----w- c:\program files\Agent
2009-06-19 22:46 . 2005-04-27 03:14 -------- d-----w- c:\documents and settings\Rich\Application Data\Lavasoft
2009-06-19 18:07 . 2006-09-20 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-18 22:19 . 2005-04-27 09:28 -------- d-----w- c:\program files\FirstClass
2009-06-09 22:12 . 2006-12-22 20:14 132960 ----a-w- c:\documents and settings\Gaming\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 00:23 . 2006-09-17 01:09 -------- d-----w- c:\program files\iTunes
2009-06-09 00:22 . 2005-05-10 09:42 -------- d-----w- c:\program files\iPod
2009-06-09 00:22 . 2007-09-02 17:05 -------- d-----w- c:\program files\Common Files\Apple
2009-06-08 22:44 . 2008-02-13 22:47 -------- d-----w- c:\documents and settings\Gaming\Application Data\uTorrent
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/1/2008 5:53 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/1/2008 5:53 PM 20560]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 09:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2392)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
c:\windows\system32\igfxpph.dll
c:\windows\system32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\system32\igfxress.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\nvshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\UStorSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-06-24 9:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 13:51

Pre-Run: 16,173,293,568 bytes free
Post-Run: 16,572,518,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

181 --- E O F --- 2009-06-19 17:20

Goored Log:

GooredFix v1.92 by jpshortstuff
Log created at 09:55 on 24/06/2009 running Option #1 (Gaming)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EFD28066-FE97-4E34-94C2-4A5E08B5FEE1}"="C:\Documents and Settings\Rich\Local Settings\Application Data\{EFD28066-FE97-4E34-94C2-4A5E08B5FEE1}\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EB015E33-4E86-4798-AC9D-8B74588A6EAE}"="C:\Documents and Settings\Gaming\Local Settings\Application Data\{EB015E33-4E86-4798-AC9D-8B74588A6EAE}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EFD28066-FE97-4E34-94C2-4A5E08B5FEE1}"="C:\Documents and Settings\Rich\Local Settings\Application Data\{EFD28066-FE97-4E34-94C2-4A5E08B5FEE1}\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EB015E33-4E86-4798-AC9D-8B74588A6EAE}"="C:\Documents and Settings\Gaming\Local Settings\Application Data\{EB015E33-4E86-4798-AC9D-8B74588A6EAE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[amateur]

Hello again.

Please make sure that teatimer is disabled as per my previous instructions.

Please double-click GooredFix.exe on your Desktop to run it.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
• Make sure all instances of Firefox are closed at this point.
• Type y at the prompt and press Enter again.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

=====================

Perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=====================

Please reply back with the GooredLog.txt and the Kaspersky report. Also, let me know how the computer is behaving now.

[raj1439]

Hi:

Here's my Goored log:

GooredFix v1.92 by jpshortstuff
Log created at 16:10 on 24/06/2009 running Option #2 (Gaming)
Firefox version [Unable to determine]

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EFD28066-FE97-4E34-94C2-4A5E08B5FEE1}"="C:\Documents and Settings\Rich\Local Settings\Application Data\{EFD28066-FE97-4E34-94C2-4A5E08B5FEE1}\"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Rich\Local Settings\Application Data\{EFD28066-FE97-4E34-94C2-4A5E08B5FEE1}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EB015E33-4E86-4798-AC9D-8B74588A6EAE}"="C:\Documents and Settings\Gaming\Local Settings\Application Data\{EB015E33-4E86-4798-AC9D-8B74588A6EAE}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Gaming\Local Settings\Application Data\{EB015E33-4E86-4798-AC9D-8B74588A6EAE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

I attempted to run the Kaspersky online scanner, but each time after I clicked the 'Accept' button, it does not download or update anything, and I get a dialogue box that says, "Starting Java Applet has failed! Please go online to use this program." I attempted to use the scanner by going to the Kaspersky home page then following links to the online scanner, with the same result.

I still get a '404 not found' error (with the Google logo) when I attempt to connect to the Microsoft update site via the Start menu.

I can get to the Microsoft website, but when I try to go to the Update site from the drop down menu under 'Security and Updates', it sends me to Google.

I am still unable to get an update for Zone Alarm, nor can I update SpyBot.

Thanks.

[amateur]

Hi,

I see you have µTorrent installed. This practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it via Add or Remove Programs in Control Panel as suggested in our
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

Quote:

• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link

======================

Uninstall the following via the Add/Remove Panel (Start->Control Panel->Add or Remove Programs):

J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

=======================

For the Kaspersky scan, try the following and see if that helps.

In IE, Go to Tools > Internet Options > Advanced tab. Click Reset then OK and exit IE.

Re-open IE 7 and ensure the Java add-ons are enabled.



If you're still having problem, try one of the following online scans:

Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

OR

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

======================

Please post back the online scan results, and fresh logs from DSS and GMER .

[raj1439]

Quick update:

I deleted the Java updates (good to know about that, they were soaking up a lot of HD space!) and tried the Kaspersky scanner again. It would download the program but hang on updating the database. After a while I would get the same dialogue box as before.

I also removed Firefox and µTorrent from my system.

I'm currently running the Panda scan. It's taking a while, heh...but it has found some infected files.

I should be able to post the Panda scan logs along with new DSS and GMER logs tomorrow.

[amateur]

Hi,

I

Quote:

also removed Firefox and µTorrent from my system.

I am glad you removed uTorrent, but I don't understand why you removed FireFox. It's a good browser.

I am waiting for the Panda scan.

[raj1439]

Okay, the scans are done. The Panda scan took about 8 hours...is that normal?

I attached the scan logs as a .zip file to this message, and here is the DDS.txt:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Gaming at 13:02:22.70 on Fri 06/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1387 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090625-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gaming\Desktop\CompFix 09\gmer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gaming\Desktop\CompFix 09\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: {4A368E80-174F-4872-96B5-0B27DDD11DB2} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll__BHODemonDisabled
BHO: This BHO has been disabled by BHODemon. - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120580575171
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220663692046
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4754/mcfscan.cab
TCP: {9ECAE540-BB66-4639-A8A5-F1ABAA718B5C} = 85.255.115.99 85.255.112.90
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-9-5 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-4-26 394952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-8-7 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\rtvscan.exe --> c:\progra~1\symant~1\symant~1\Rtvscan.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-8-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-8-7 352920]
S3 NAVAP;NAVAP;\??\c:\progra~1\symant~1\symant~1\navap.sys --> c:\progra~1\symant~1\symant~1\NAVAP.sys [?]

=============== Created Last 30 ================

2009-06-25 16:28 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-25 16:28 <DIR> --d----- c:\program files\Panda Security
2009-06-24 10:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-06-24 09:49 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-24 09:30 <DIR> a-dshr-- C:\cmdcons
2009-06-24 09:28 161,792 a------- c:\windows\SWREG.exe
2009-06-24 09:28 155,136 a------- c:\windows\PEV.exe
2009-06-24 09:28 98,816 a------- c:\windows\sed.exe
2009-06-23 10:28 <DIR> --d----- c:\program files\VideoLAN
2009-06-21 16:09 <DIR> --dsh--- c:\documents and settings\gaming\IECompatCache
2009-06-19 13:47 <DIR> --dsh--- c:\documents and settings\gaming\PrivacIE
2009-06-19 13:23 <DIR> --dsh--- c:\documents and settings\gaming\IETldCache
2009-06-19 13:17 <DIR> -cd-h--- c:\windows\ie8
2009-06-08 20:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-08 20:19 <DIR> --d----- c:\program files\Bonjour
2009-06-03 18:41 <DIR> --d----- C:\OutputFolder

==================== Find3M ====================

2009-06-26 13:02 55,328,800 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-24 10:06 636,692 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-09-05 16:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 13:04:52.50 ==============

[amateur]

Hi,

Quote:

The Panda scan took about 8 hours...is that normal?

It's a long time, but I've seen scans taking even longer than that. It all depends on what's on your hdd and your internet speed.
What's important now is that we have the scan results.

Panda is reporting a file which is associated with Dell support, therefore a false positive; and some tracking cookies, which are or small files that store information about what sites you visit online. Advertisers use these for statistical analysis and to target ads that you would be more likely to click on. They're not dangerous in and of themselves, per se, but are definitely a good idea to remove periodically.

They are not the normal, everyday cookies which are used for everything from saving form data to your login information for a particular site.

Here is some reference to cookies (it also tells you how to manage them):

http://www.microsoft.com/info/cookies.mspx

http://support.microsoft.com/default...b;en-us;260971

You can block the third party cookies if you'd like:

To block Third party cookies with IE:

1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced button .
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.

=======================================

I still see some remnants from Norton. Did you use the procedure I suggested in Post #3 to remove Norton products?

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]

Folder::
C:\fixwareout
                         
DDS::
BHO: This BHO has been enabled by BHODemon. - No File
BHO: {4A368E80-174F-4872-96B5-0B27DDD11DB2} - No File
BHO: This BHO has been disabled by BHODemon. - No File
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
TCP: {9ECAE540-BB66-4639-A8A5-F1ABAA718B5C} = 85.255.115.99 85.255.112.90

Driver::
NAVAPEL
Norton AntiVirus Server
NAVAP

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Let me know how things are now. Are you able to update?

[raj1439]

Okay, I set IE to block third party cookies.

As far as Norton goes, I did follow the instructions in your earlier post, and everything seemed to work.

I followed your instructions and ran ComboFix. Here's the log info:

ComboFix 09-06-23.01 - Gaming 06/26/2009 17:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1465 [GMT -4:00]
Running from: c:\documents and settings\Gaming\Desktop\CompFix 09\ComboFix.exe
Command switches used :: c:\documents and settings\Gaming\Desktop\CompFix 09\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090626-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fixwareout
c:\fixwareout\FindT\FindT.bat
c:\fixwareout\FindT\first.bat
c:\fixwareout\FindT\locate.com
c:\fixwareout\FindT\op.reg
c:\fixwareout\FindT\patterns.txt
c:\fixwareout\FindT\runs.txt
c:\fixwareout\FindT\runs.vbs
c:\fixwareout\FindT\swreg.exe
c:\fixwareout\FindT\WINREG.EXE
c:\fixwareout\FindT\XFIND.COM
c:\fixwareout\FixIt.BAT
c:\fixwareout\report.txt
c:\fixwareout\SUB\9Xreboot.bfu
c:\fixwareout\SUB\BFU.exe
c:\fixwareout\SUB\bfu.zip
c:\fixwareout\SUB\download.exe
c:\fixwareout\SUB\ipconfig.bat
c:\fixwareout\SUB\NTreboot.bfu
c:\fixwareout\SUB\unzip.exe
c:\fixwareout\SUB\win98me.bfu
c:\fixwareout\SUB\XP-2K2.bfu

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAP
-------\Legacy_NAVAPEL
-------\Legacy_NORTON_ANTIVIRUS_SERVER
-------\Service_NAVAP
-------\Service_NAVAPEL
-------\Service_Norton AntiVirus Server


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-25 20:28 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-25 20:28 . 2009-06-25 20:28 -------- d-----w- c:\program files\Panda Security
2009-06-25 05:05 . 2009-06-25 05:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-25 05:03 . 2009-06-25 05:03 152576 ----a-w- c:\documents and settings\Gaming\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-24 14:02 . 2009-06-24 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-24 13:49 . 2009-06-24 13:49 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-23 14:30 . 2009-06-23 15:40 -------- d-----w- c:\documents and settings\Gaming\Application Data\dvdcss
2009-06-23 14:30 . 2009-06-23 15:48 -------- d-----w- c:\documents and settings\Gaming\Application Data\vlc
2009-06-23 14:28 . 2009-06-23 14:28 -------- d-----w- c:\program files\VideoLAN
2009-06-21 20:09 . 2009-06-21 20:09 -------- d-sh--w- c:\documents and settings\Gaming\IECompatCache
2009-06-19 17:47 . 2009-06-19 17:47 -------- d-sh--w- c:\documents and settings\Gaming\PrivacIE
2009-06-19 17:24 . 2009-06-19 17:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-19 17:23 . 2009-06-19 17:23 -------- d-sh--w- c:\documents and settings\Gaming\IETldCache
2009-06-19 17:17 . 2009-06-19 17:20 -------- dc-h--w- c:\windows\ie8
2009-06-09 00:22 . 2009-06-09 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-09 00:19 . 2009-06-09 00:19 -------- d-----w- c:\program files\Bonjour
2009-06-09 00:14 . 2009-06-09 00:15 -------- d-----w- c:\program files\QuickTime
2009-06-09 00:07 . 2009-06-09 00:07 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 22:41 . 2009-06-03 22:42 -------- d-----w- C:\OutputFolder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 21:26 . 2007-08-13 15:14 55474208 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-26 21:23 . 2007-08-13 15:14 651068 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-26 21:16 . 2007-10-14 13:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-26 21:16 . 2006-05-13 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-26 21:13 . 2006-05-12 02:49 -------- d-----w- c:\program files\SpywareBlaster
2009-06-25 05:04 . 2005-04-21 23:06 -------- d-----w- c:\program files\Java
2009-06-25 04:58 . 2005-04-21 23:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-25 04:58 . 2005-05-10 09:42 -------- d-----w- c:\program files\iPod
2009-06-24 13:41 . 2007-08-15 01:41 213441869 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-19 22:47 . 2006-06-16 05:00 -------- d-----w- c:\program files\Agent
2009-06-19 22:46 . 2005-04-27 03:14 -------- d-----w- c:\documents and settings\Rich\Application Data\Lavasoft
2009-06-19 18:07 . 2006-09-20 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-18 22:19 . 2005-04-27 09:28 -------- d-----w- c:\program files\FirstClass
2009-06-09 22:12 . 2006-12-22 20:14 132960 ----a-w- c:\documents and settings\Gaming\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 00:23 . 2006-09-17 01:09 -------- d-----w- c:\program files\iTunes
2009-06-09 00:22 . 2007-09-02 17:05 -------- d-----w- c:\program files\Common Files\Apple
2009-06-08 22:44 . 2008-02-13 22:47 -------- d-----w- c:\documents and settings\Gaming\Application Data\uTorrent
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-24_13.43.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-26 21:24 . 2009-06-26 21:24 16384 c:\windows\Temp\Perflib_Perfdata_67c.dat
+ 2009-06-26 21:24 . 2009-06-26 21:24 16384 c:\windows\Temp\Perflib_Perfdata_2a4.dat
+ 2009-06-24 13:49 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-24 13:49 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-24 13:49 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-24 13:49 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-24 13:49 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-24 13:49 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-24 13:49 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-24 13:49 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-24 13:49 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-24 13:49 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
- 2008-12-09 23:04 . 2008-12-09 23:03 148888 c:\windows\system32\javaws.exe
+ 2009-06-25 05:04 . 2009-03-09 09:19 148888 c:\windows\system32\javaws.exe
- 2008-12-09 23:04 . 2008-12-09 23:03 144792 c:\windows\system32\javaw.exe
+ 2009-06-25 05:04 . 2009-03-09 09:19 144792 c:\windows\system32\javaw.exe
+ 2009-06-25 05:04 . 2009-03-09 09:19 144792 c:\windows\system32\java.exe
- 2008-12-09 23:04 . 2008-12-09 23:03 144792 c:\windows\system32\java.exe
+ 2009-06-24 13:49 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-24 13:49 . 2009-03-08 08:34 914944 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-24 13:49 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-24 13:49 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-24 13:49 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-24 13:49 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-24 13:49 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-24 13:49 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-24 13:49 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2008-12-09 23:04 . 2009-03-09 09:19 410984 c:\windows\system32\deploytk.dll
- 2008-12-09 23:04 . 2008-12-09 23:03 410984 c:\windows\system32\deploytk.dll
+ 2009-04-17 12:59 . 2009-04-17 12:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
+ 2009-06-24 13:49 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-24 13:49 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-24 13:49 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-24 13:49 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/25/2009 4:28 PM 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/1/2008 5:53 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/1/2008 5:53 PM 20560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\UStorSrv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-06-26 17:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 21:33
ComboFix2.txt 2009-06-24 13:51

Pre-Run: 17,745,645,568 bytes free
Post-Run: 17,706,463,232 bytes free

237 --- E O F --- 2009-06-19 17:20


Unfortunately, I still cannot connect to MS Update, the Spybot update server, or the ZA Update site.

[amateur]

Hi,

Quote:

Unfortunately, I still cannot connect to MS Update, the Spybot update server, or the ZA Update site.

I can't say anything about the Spybot and ZA, but your log indicates that Windows did update soon after the first run of Combofix. Did you have the same problem with FireFox? Are you using the ZoneAlarm free version?

In IE, please go to Tools>Internet Options>Security tab, click on Restricted Sites and then click on Sites, make sure that under "Websites" the sites which you are unable to access are not listed.

Next, download the HostsXpert 4.2 - Hosts File Manager.

• Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
• Run HostsXpert 4.2 - Hosts File Manager from its new home
• Click on "File Handling".
• Click on "Restore MS Hosts File".
• Click OK on the Confirmation box.
• Click on "Make Read Only?"
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Restart your computer and see if you can access those sites.

[raj1439]

Okay, I tried both steps above and rebooted, no change. I'm assuming it's okay if Windows only updates via auto-update, but I'm concerned that I can't update ZA or Spybot. I even tried adding the ZA update URL to the list of Trusted Sites in the IE control panel, and it didn't make a difference. I am using the ZA free version (firewall only), but updating was never an issue until I started being unable to connect to the MS Update site via the Start menu.

[amateur]

Hi,

Is ZoneAlarm the free version?

[raj1439]

Quote:

Originally Posted by amateur

Hi,

Is ZoneAlarm the free version?

Yes, it is.

[amateur]

Hi,

Are those the only sites that you have trouble with?

Quote:

Spybot - Search & Destroy 1.5.2.20

Your Spybot Search and Destroy is outdated. You might like to uninstall that and install the latest version 1.6.2

I am just wondering if it's a ZoneAlarm issue. Please remove it via Add or Remove Programs in Control Panel (Start>Control Panel>Add or Remove Programs), reboot, and see if that helps. You can re-install it later. I would recommend that you un-check anything else they offer to install. Just install the firewall: http://www.zonealarm.com/security/en...load-znalm.htm

[raj1439]

Quote:

Originally Posted by amateur

Hi,

Are those the only sites that you have trouble with?



Your Spybot Search and Destroy is outdated. You might like to uninstall that and install the latest version 1.6.2

I am just wondering if it's a ZoneAlarm issue. Please remove it via Add or Remove Programs in Control Panel (Start>Control Panel>Add or Remove Programs), reboot, and see if that helps. You can re-install it later. I would recommend that you un-check anything else they offer to install. Just install the firewall: http://www.zonealarm.com/security/en...load-znalm.htm

I uninstalled Zone Alarm, and nothing changed. I still get the same "Google Error - The requested URL is not available on this server" page when I try MS Update, Spybot won't connect to the update server, and I can't even connect to the ZA firewall download page you linked in your post. I was able to download Zone Alarm via the download.cnet site.

EDIT: Update: after I re-installed Zone Alarm I was able to connect to both the ZA update page and the Microsoft Update Page. I'm going to try reinstalling Spybot after the updates are finished.

[raj1439]

New update: back to square one. After rebooting my computer, I can once again no longer access the MS Update site, the ZA update site or the Spybot servers. I keep getting the Google error page when I attempt to connect to MS Update, and the "Cannot Connect to This Website" error when I attempt to connect to ZA.

[amateur]

How are you connected to the internet? Are you using a router?