WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Malwarebytes not working Plus More

Started by topband , Mar 01 2009 08:59 PM

Page 5 of 11
3
4
5
6
7

This topic is locked

152 replies to this topic

#61 topband

Authentic Member

Authentic Member
83 posts

Posted 28 April 2009 - 10:46 PM

Hi OM ...here is the results ... the online scan file did not work ..just kept getting an error message and i tried it many times ... i'll send over computer function data as i use it ....thnx OM

jh

ComboFix 09-04-28.02 - John Hancock 04/28/2009 21:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.123 [GMT -7:00]
Running from: c:\documents and settings\John Hancock\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Hancock\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090428-0] *On-access scanning disabled* (Updated)
FW: NVIDIA Firewall *disabled*
FW: Online Armor Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-22 01:55 . 2009-04-22 01:55 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-17 07:04 . 2009-04-17 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Apple
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\program files\Apple Software Update
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-17 06:58 . 2009-04-17 23:54 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-17 06:53 . 2009-04-17 07:21 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Apple Computer
2009-04-12 02:41 . 2009-04-12 02:41 62984 ----a-w c:\documents and settings\John Hancock\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 20:32 . 2009-04-10 20:32 -------- d-sh--w c:\windows\ftpcache
2009-04-07 15:46 . 2009-04-07 15:46 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-07 02:52 . 2009-04-07 18:42 -------- d-----w c:\documents and settings\John Hancock\Application Data\DivX
2009-04-07 02:45 . 2009-04-07 02:45 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-07 02:42 . 2009-04-07 02:43 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-04 03:18 . 2009-04-04 03:18 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\WMTools Downloaded Files
2009-04-04 02:31 . 2009-04-04 02:31 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Identities
2009-04-03 19:53 . 2009-04-03 19:53 -------- d-----w c:\program files\Trend Micro
2009-04-03 19:37 . 2009-04-03 19:37 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-04-03 19:35 . 2004-09-29 19:08 61440 ----a-w c:\windows\system32\HPZinw12.exe
2009-04-03 19:35 . 2004-09-29 19:14 69632 ----a-w c:\windows\system32\HPZipm12.exe
2009-04-03 19:35 . 2004-09-29 19:09 57344 ----a-w c:\windows\system32\HPZisn12.dll
2009-04-03 19:35 . 2004-09-29 19:09 94208 ----a-w c:\windows\system32\HPZipt12.dll
2009-04-03 19:35 . 2004-09-29 19:15 204800 ----a-w c:\windows\system32\HPZipr12.dll
2009-04-03 19:35 . 2004-09-29 19:12 278584 ----a-w c:\windows\system32\HPZidr12.dll
2009-04-03 19:34 . 2009-04-03 19:35 -------- d-----w c:\program files\HP
2009-04-03 19:31 . 2009-04-03 19:38 68300 ----a-w c:\windows\hpoins05.dat
2009-04-03 19:31 . 2005-07-29 01:28 19696 ------w c:\windows\hpomdl05.dat
2009-04-03 19:30 . 2005-07-29 01:28 51120 ----a-w c:\windows\system32\drivers\HPZid412.sys
2009-04-03 19:30 . 2005-07-29 01:28 21744 ----a-w c:\windows\system32\drivers\HPZius12.sys
2009-04-03 19:30 . 2005-07-29 01:28 16496 ----a-w c:\windows\system32\drivers\HPZipr12.sys
2009-04-03 19:29 . 2005-07-29 01:28 708608 ----a-w c:\windows\system32\hpotiop.dll
2009-04-03 19:29 . 2005-07-29 01:28 278528 ----a-w c:\windows\system32\hpgwiamd.dll
2009-04-03 19:29 . 2005-07-29 01:28 274432 ----a-w c:\windows\system32\HPZc3212.dll
2009-04-03 19:29 . 2005-07-29 01:28 229376 ----a-w c:\windows\system32\hpovst08.dll
2009-04-03 19:29 . 2005-07-29 01:28 393216 ----a-w c:\windows\system32\hpzcon12.dll
2009-04-03 19:29 . 2005-07-29 01:28 196608 ----a-w c:\windows\system32\hpzcoi12.dll
2009-04-03 19:29 . 2005-07-29 01:28 139345 ----a-w c:\windows\system32\hpzlnt12.dll
2009-04-03 19:29 . 2009-04-18 00:03 -------- d-----w C:\Temp
2009-04-03 19:29 . 2009-04-03 19:30 -------- d-----w c:\temp\HP_WebRelease
2009-04-03 17:27 . 2009-04-03 17:27 0 ----a-w c:\windows\nsreg.dat
2009-04-03 17:27 . 2009-04-03 17:27 -------- d-----w c:\documents and settings\John Hancock\Application Data\Flock
2009-04-03 17:27 . 2009-04-03 17:27 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Flock
2009-04-03 17:26 . 2009-04-29 04:02 -------- d-----w c:\program files\Flock
2009-04-03 02:49 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-03 02:49 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-03 02:48 . 2009-04-29 04:09 -------- d-----w c:\documents and settings\John Hancock\Application Data\OnlineArmor
2009-04-03 02:48 . 2009-04-03 02:48 -------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-03 02:47 . 2008-12-13 09:26 30920 ----a-w c:\windows\system32\drivers\OAmon.sys
2009-04-03 02:47 . 2008-12-13 09:26 28872 ----a-w c:\windows\system32\drivers\OAnet.sys
2009-04-03 02:47 . 2008-12-13 09:26 178376 ----a-w c:\windows\system32\drivers\OADriver.sys
2009-04-03 02:47 . 2009-04-03 02:47 -------- d-----w c:\program files\Tall Emu
2009-04-03 02:44 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-03 02:40 . 2009-04-03 02:40 1172 ----a-w c:\windows\mozver.dat
2009-04-03 02:27 . 2001-08-17 20:48 12160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-03 02:27 . 2001-08-17 20:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-03 02:27 . 2001-08-17 21:02 9600 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-04-03 02:27 . 2001-08-17 21:02 9600 ----a-w c:\windows\system32\drivers\hidusb.sys
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\documents and settings\John Hancock\Application Data\Malwarebytes
2009-04-03 01:37 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 01:37 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 01:34 . 2003-03-18 20:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-04-03 01:34 . 2009-04-03 01:34 -------- d-----w c:\program files\Alwil Software
2009-04-03 01:30 . 2009-04-03 02:01 -------- d-----w c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 04:15 . 2007-06-07 17:49 -------- d-----w c:\program files\Piolet
2009-04-17 23:54 . 2009-04-17 07:14 -------- d-----w c:\program files\iTunes
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\iPod
2009-04-17 23:53 . 2009-04-17 23:51 -------- d-----w c:\program files\Common Files\Apple
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\Bonjour
2009-04-17 23:53 . 2009-04-17 23:52 -------- d-----w c:\program files\QuickTime
2009-04-07 18:45 . 2007-03-09 21:33 -------- d-----w c:\program files\Party Expert File
2009-04-07 02:49 . 2007-06-05 03:49 -------- d-----w c:\program files\Google
2009-04-07 02:48 . 2007-09-15 19:06 -------- d-----w c:\program files\DivX
2009-03-19 23:32 . 2009-04-17 23:54 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:35 . 2009-04-07 02:46 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-07 02:46 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-07 02:46 43528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-02-24 19:35 . 2009-04-07 02:46 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-07 02:46 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-07 02:46 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 12:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-04 12:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-03 17:13 . 2007-09-15 19:10 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-04-03 17:13 . 2007-09-15 19:10 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-04-03 17:13 . 2007-09-15 19:10 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-04-03 17:13 . 2007-09-15 19:10 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-04-03 17:13 . 2007-09-15 19:10 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-28_05.56.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 16:10 . 2009-04-28 16:10 16384 c:\windows\Temp\Perflib_Perfdata_16c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-07-30 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 1585152]
"Piolet"="c:\program files\Piolet\Piolet.exe" [2007-04-13 5988352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-22 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-10-10 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-12-13 886984]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Piolet\\Piolet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 gupdate1c9b72abb9fd676;Google Update Service (gupdate1c9b72abb9fd676);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 133104]
R3 FXDRV;FXDRV; [x]
R3 StreamSurge;StreamSurge Driver (miniport); [x]
S1 aswSP;avast! Self Protection; [x]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-12-13 178376]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-12-13 30920]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2008-12-13 28872]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2008-12-13 1402568]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2008-12-13 3321032]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab469fbb-260d-11de-85ba-0015582346bb}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 02:42]

2009-04-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\John Hancock\Application Data\Mozilla\Firefox\Profiles\n4xju13y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 21:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1148)
c:\program files\Tall Emu\Online Armor\oawatch.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-29 21:19
ComboFix-quarantined-files.txt 2009-04-29 04:19
ComboFix2.txt 2009-04-28 05:59

Pre-Run: 4,140,990,464 bytes free
Post-Run: 4,143,996,928 bytes free

230 --- E O F --- 2009-04-27 15:43

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:25 PM, on 4/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Flock\flock.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181019296906
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1c9b72abb9fd676) (gupdate1c9b72abb9fd676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8789 bytes

Advertisements

Register to Remove

#62 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 28 April 2009 - 11:27 PM

Hi TopBand,

My fault, I forgot an extension in the fix. We run it again.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Do Not copy the word CODE

DEQUARANTINE::
C:\Qoobox\Quarantine\c\windows\system32\drivers\ss.sys.vir

Quit::

Registry::

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image

This should work this time.

We need some file informantion

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path, into the "Suspicious files to scan" box on the top of the page:

c:\windows\system32\drivers\ss.sys
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Post back with the combofix log, the VirScan results

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#63 topband

Authentic Member

Authentic Member
83 posts

Posted 01 May 2009 - 01:01 PM

hi OM We are doing a move now california from vegas so i will be up and running in about a week or less so pls keep out channel open and thnx for everything om talk to sonn jh

#64 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 01 May 2009 - 06:21 PM

Hi Topband, Thanks for letting me know.

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#65 topband

Authentic Member

Authentic Member
83 posts

Posted 17 May 2009 - 03:49 AM

Hi OM ...long time no talk sir ... we are now in san pedro ca and i have sprint internet ...pretty slow ...but we will change it soon ... i am going to try now to gt back to the last fix plan you had developed and will send you another email when it is accomplished thnx John Hancock

#66 topband

Authentic Member

Authentic Member
83 posts

Posted 17 May 2009 - 04:27 AM

OK OM ...I got the same results, if i remember right ...i went to scan the line you suggested with the online virus scan and it gave an error that it could not upload the file ....tried several times

I have here the COMBO FIX LOG ...followed by ...a HJT file ...thnx

jh

ComboFix 09-05-16.05 - John Hancock 05/17/2009 3:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.158 [GMT -7:00]
Running from: c:\documents and settings\John Hancock\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Hancock\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090516-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.
/wow section - STAGE 1
'PV' is not recognized as an internal or external command

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Participatory Culture Foundation\Miro\xulrunner\nssckbi.dll
k:\recycled\NPROTECT\00000019.DLL
k:\recycled\NPROTECT\00000020.DLL
k:\recycled\NPROTECT\00000021.dll
k:\recycled\NPROTECT\00000022.ver
k:\recycled\NPROTECT\00000023.inf
k:\recycled\NPROTECT\00000024.exe
k:\recycled\NPROTECT\00000025.DLL
k:\recycled\NPROTECT\00000026.dll
k:\recycled\NPROTECT\00000027.CDF
k:\recycled\NPROTECT\00000028.CAT
k:\recycled\NPROTECT\00000029.C0A
k:\recycled\NPROTECT\00000030.816
k:\recycled\NPROTECT\00000031.804
k:\recycled\NPROTECT\00000032.424
k:\recycled\NPROTECT\00000033.41F
k:\recycled\NPROTECT\00000034.41D
k:\recycled\NPROTECT\00000035.41B
k:\recycled\NPROTECT\00000036.419
k:\recycled\NPROTECT\00000037.416
k:\recycled\NPROTECT\00000038.415
k:\recycled\NPROTECT\00000039.414
k:\recycled\NPROTECT\00000040.413
k:\recycled\NPROTECT\00000041.412
k:\recycled\NPROTECT\00000042.411
k:\recycled\NPROTECT\00000043.410
k:\recycled\NPROTECT\00000044.40E
k:\recycled\NPROTECT\00000045.40D
k:\recycled\NPROTECT\00000046.40C
k:\recycled\NPROTECT\00000047.40B
k:\recycled\NPROTECT\00000048.409
k:\recycled\NPROTECT\00000049.408
k:\recycled\NPROTECT\00000050.407
k:\recycled\NPROTECT\00000051.406
k:\recycled\NPROTECT\00000052.405
k:\recycled\NPROTECT\00000053.404
k:\recycled\NPROTECT\00000054.401
k:\recycled\NPROTECT\00000055.sys
k:\recycled\NPROTECT\00000056.inf
k:\recycled\NPROTECT\00000057.inf
k:\recycled\NPROTECT\00000058.EXE
k:\recycled\NPROTECT\00000059.exe
k:\recycled\NPROTECT\00000060.exe
k:\recycled\NPROTECT\00000061.exe
k:\recycled\NPROTECT\00000062.exe
k:\recycled\NPROTECT\00000063.exe
k:\recycled\NPROTECT\00000064.exe
k:\recycled\NPROTECT\00000065.exe
k:\recycled\NPROTECT\00000066.dll
k:\recycled\NPROTECT\00000067.DLL
k:\recycled\NPROTECT\00000068.dll
k:\recycled\NPROTECT\00000069.dll
k:\recycled\NPROTECT\00000070.dll
k:\recycled\NPROTECT\00000071.dll
k:\recycled\NPROTECT\00000072.DLL
k:\recycled\NPROTECT\00000073.dll
k:\recycled\NPROTECT\00000074.dll
k:\recycled\NPROTECT\00000075.dll
k:\recycled\NPROTECT\00000076.dll
k:\recycled\NPROTECT\00000077.dll
k:\recycled\NPROTECT\00000078.dll
k:\recycled\NPROTECT\00000079.dll
k:\recycled\NPROTECT\00000080.dll
k:\recycled\NPROTECT\00000081.dll
k:\recycled\NPROTECT\00000082.dll
k:\recycled\NPROTECT\00000083.dll
k:\recycled\NPROTECT\00000084.dll
k:\recycled\NPROTECT\00000085.dll
k:\recycled\NPROTECT\00000086.dll
k:\recycled\NPROTECT\00000087.dll
k:\recycled\NPROTECT\00000088.dll
k:\recycled\NPROTECT\00000089.dll
k:\recycled\NPROTECT\00000090.dll
k:\recycled\NPROTECT\00000091.dll
k:\recycled\NPROTECT\00000092.dll
k:\recycled\NPROTECT\00000093.dll
k:\recycled\NPROTECT\00000094.dll
k:\recycled\NPROTECT\00000095.dll
k:\recycled\NPROTECT\00000096.dll
k:\recycled\NPROTECT\00000097.dll
k:\recycled\NPROTECT\00000098.dll
k:\recycled\NPROTECT\00000099.dll
k:\recycled\NPROTECT\00000100.dll
k:\recycled\NPROTECT\00000101.DLL
k:\recycled\NPROTECT\00000102.DLL
k:\recycled\NPROTECT\00000103.DLL
k:\recycled\NPROTECT\00000104.DLL
k:\recycled\NPROTECT\00000105.DLL
k:\recycled\NPROTECT\00000106.dll
k:\recycled\NPROTECT\00000107.dll
k:\recycled\NPROTECT\00000108.dll
k:\recycled\NPROTECT\00000109.dll
k:\recycled\NPROTECT\00000110.dll
k:\recycled\NPROTECT\00000111.dll
k:\recycled\NPROTECT\00000112.dll
k:\recycled\NPROTECT\00000113.dll
k:\recycled\NPROTECT\00000114.dll
k:\recycled\NPROTECT\00000115.dll
k:\recycled\NPROTECT\00000116.dll
k:\recycled\NPROTECT\00000117.dll
k:\recycled\NPROTECT\00000118.dll
k:\recycled\NPROTECT\00000119.dll
k:\recycled\NPROTECT\00000120.dll
k:\recycled\NPROTECT\00000121.dll
k:\recycled\NPROTECT\00000122.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 09:26 . 2009-05-17 09:26 -------- d-----w c:\program files\doubleTwist 2.0
2009-05-17 09:25 . 2009-05-17 09:25 -------- d-----w c:\documents and settings\John Hancock\Application Data\OpenCandy
2009-05-17 09:25 . 2009-05-17 09:25 -------- d-----w c:\documents and settings\John Hancock\Application Data\Participatory Culture Foundation
2009-05-17 09:24 . 2009-05-17 09:24 -------- d-----w c:\program files\Participatory Culture Foundation
2009-05-17 07:59 . 2009-05-17 07:59 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\tjnet
2009-05-17 07:38 . 2009-05-17 09:41 -------- d-----w c:\documents and settings\John Hancock\Application Data\mjusbsp
2009-05-07 04:06 . 2009-05-07 04:06 -------- d-----w c:\documents and settings\John Hancock\Application Data\Sprint
2009-05-07 04:01 . 2007-10-13 00:04 27072 ----a-w c:\windows\system32\drivers\PCASp50.sys
2009-05-07 04:00 . 2005-03-15 19:11 17920 ----a-w c:\windows\system32\apintfnt.dll
2009-05-07 04:00 . 2007-01-18 18:24 26496 ----a-r c:\windows\system32\drivers\RimSerial.sys
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Common Files\Motorola Shared
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w C:\Research in Motion
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Common Files\Research in Motion
2009-05-07 03:55 . 2009-05-07 04:00 -------- d-----w c:\program files\Sierra Wireless
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Novatel Wireless
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\documents and settings\All Users\Application Data\Sprint
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Sprint
2009-04-30 00:44 . 2009-04-30 00:44 -------- d-----w c:\documents and settings\John Hancock\Application Data\OnlineArmor
2009-04-30 00:44 . 2009-04-30 00:44 -------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-30 00:42 . 2009-04-16 12:49 31824 ----a-w c:\windows\system32\drivers\OAmon.sys
2009-04-30 00:42 . 2009-04-16 13:35 29776 ----a-w c:\windows\system32\drivers\OAnet.sys
2009-04-30 00:42 . 2009-04-16 12:49 196688 ----a-w c:\windows\system32\drivers\OADriver.sys
2009-04-30 00:42 . 2009-04-30 00:42 -------- d-----w c:\program files\Tall Emu
2009-04-29 22:16 . 2009-04-29 22:16 -------- d-----w c:\documents and settings\John Hancock\Application Data\InfraRecorder
2009-04-22 01:55 . 2009-04-22 01:55 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-17 23:54 . 2009-03-19 23:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-17 23:54 . 2008-04-17 19:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\iPod
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\Bonjour
2009-04-17 23:52 . 2009-04-17 23:53 -------- d-----w c:\program files\QuickTime
2009-04-17 23:51 . 2009-04-17 23:53 -------- d-----w c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 09:52 . 2007-06-07 17:49 -------- d-----w c:\program files\Piolet
2009-05-17 04:28 . 2009-04-03 17:26 -------- d-----w c:\program files\Flock
2009-04-17 23:54 . 2009-04-17 07:14 -------- d-----w c:\program files\iTunes
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\program files\Apple Software Update
2009-04-12 02:41 . 2009-04-12 02:41 62984 ----a-w c:\documents and settings\John Hancock\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 18:45 . 2007-03-09 21:33 -------- d-----w c:\program files\Party Expert File
2009-04-07 02:49 . 2007-06-05 03:49 -------- d-----w c:\program files\Google
2009-04-07 02:48 . 2007-09-15 19:06 -------- d-----w c:\program files\DivX
2009-04-07 02:43 . 2009-04-07 02:42 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-03 19:53 . 2009-04-03 19:53 -------- d-----w c:\program files\Trend Micro
2009-04-03 19:38 . 2009-04-03 19:31 68300 ----a-w c:\windows\hpoins05.dat
2009-04-03 19:37 . 2009-04-03 19:37 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-04-03 19:35 . 2009-04-03 19:34 -------- d-----w c:\program files\HP
2009-04-03 17:27 . 2009-04-03 17:27 0 ----a-w c:\windows\nsreg.dat
2009-04-03 02:40 . 2009-04-03 02:40 1172 ----a-w c:\windows\mozver.dat
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 01:34 . 2009-04-03 01:34 -------- d-----w c:\program files\Alwil Software
2009-03-28 14:15 . 2009-03-28 14:15 6656 ----a-w c:\windows\system32\drivers\iPodDrv.sys
2009-03-26 23:49 . 2009-04-03 01:37 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-04-03 01:37 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:35 . 2009-04-07 02:46 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-07 02:46 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-07 02:46 43528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-02-24 19:35 . 2009-04-07 02:46 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-07 02:46 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-07 02:46 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-28_05.56.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 08:26 . 2006-12-02 08:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 08:25 . 2006-12-02 08:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2009-05-14 16:56 . 2009-05-14 16:56 16384 c:\windows\Temp\Perflib_Perfdata_5f4.dat
+ 2009-05-07 04:00 . 2007-01-18 18:24 26496 c:\windows\system32\ReinstallBackups\0010\DriverFiles\RimSerial.sys
+ 2008-03-06 01:10 . 2008-03-06 01:10 61440 c:\windows\system32\pxfhwmcp.dll
+ 2004-08-04 12:00 . 2009-05-07 03:57 37760 c:\windows\system32\perfc009.dat
+ 2008-03-05 22:36 . 2008-03-05 22:36 32408 c:\windows\system32\PCTINDIS5.sys
+ 2007-10-13 00:04 . 2007-10-13 00:04 41280 c:\windows\system32\PCASp50a64.sys
+ 2007-10-13 00:04 . 2007-10-13 00:04 27072 c:\windows\system32\PCASp50.sys
+ 2007-06-05 03:49 . 2009-05-07 17:38 88590 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-05-07 04:00 . 2007-02-13 08:12 21376 c:\windows\system32\DRVSTORE\motport_6E9907B557DFD0C57184C5FEFA8B6A4C11EE1D9F\motport.sys
+ 2009-05-07 04:00 . 2007-01-24 05:36 22016 c:\windows\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\Motousbnet.sys
+ 2009-05-07 04:00 . 2006-12-14 18:27 40832 c:\windows\system32\DRVSTORE\motodrv_3F1D1CA628D8539FB52560E1E07C735B3D1929D0\motodrv.sys
+ 2009-05-07 04:00 . 2007-02-13 08:12 21376 c:\windows\system32\DRVSTORE\motmodem_AE7DEB7AF0C9AC8D17C1D42149D2896F3DA98D76\motmodem.sys
+ 2009-05-07 04:00 . 2007-02-16 19:35 17536 c:\windows\system32\DRVSTORE\motccgp_426AB4577B75982B0A2CFB2F3F59DC7E2B59F95D\motccgp.sys
+ 2008-03-05 22:41 . 2008-03-05 22:41 24840 c:\windows\system32\drivers\swmsflt.sys
+ 2008-03-05 22:41 . 2008-03-05 22:41 38680 c:\windows\system32\drivers\pctnullport.sys
+ 2009-05-07 03:56 . 2009-05-07 03:56 25214 c:\windows\Installer\{FC516A10-B335-4FB5-8EA2-0DB8E57E044C}\MenuShortcut_056A96D4EB0549128ABDF97E3095D40D.exe
+ 2009-05-07 03:56 . 2009-05-07 03:56 40960 c:\windows\Installer\{FC516A10-B335-4FB5-8EA2-0DB8E57E044C}\HotspotLFShortcut1_056A96D4EB0549128ABDF97E3095D40D.exe
+ 2009-05-07 03:56 . 2009-05-07 03:56 25214 c:\windows\Installer\{FC516A10-B335-4FB5-8EA2-0DB8E57E044C}\DesktopShortcut_056A96D4EB0549128ABDF97E3095D40D.exe
+ 2009-05-07 03:56 . 2009-05-07 03:56 25214 c:\windows\Installer\{FC516A10-B335-4FB5-8EA2-0DB8E57E044C}\ARPPRODUCTICON.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 90112 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 90112 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 45056 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 45056 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 22528 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 22528 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 30720 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 30720 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 16384 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 16384 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 34304 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 34304 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2006-07-28 16:10 . 2006-07-28 16:10 6144 c:\windows\system32\mot_ci.dll
+ 2009-05-07 04:00 . 2006-12-07 01:33 6400 c:\windows\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\motswch.sys
+ 2009-05-07 04:00 . 2007-01-24 05:36 6016 c:\windows\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\motfilt.sys
+ 2009-05-07 04:00 . 2006-07-28 16:10 6144 c:\windows\system32\DRVSTORE\motodrv_3F1D1CA628D8539FB52560E1E07C735B3D1929D0\mot_ci.dll
+ 2009-05-07 04:00 . 2006-12-07 01:33 6400 c:\windows\system32\DRVSTORE\motccgp_426AB4577B75982B0A2CFB2F3F59DC7E2B59F95D\motswch.sys
+ 2009-05-07 04:00 . 2007-01-24 03:03 7680 c:\windows\system32\DRVSTORE\motccgp_426AB4577B75982B0A2CFB2F3F59DC7E2B59F95D\motccgpfl.sys
- 2007-03-06 22:34 . 2009-04-17 10:08 3584 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 3584 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 8192 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 8192 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2007-03-06 22:34 . 2009-04-17 10:08 2560 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 2560 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-03-06 01:10 . 2008-03-06 01:10 245408 c:\windows\system32\unicows.dll
+ 2004-08-04 12:00 . 2009-05-07 03:57 305318 c:\windows\system32\perfh009.dat
+ 2008-03-06 01:10 . 2008-03-06 01:10 138016 c:\windows\system32\PCTIN50.dll
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2008-03-05 22:41 . 2008-03-05 22:41 164480 c:\windows\system32\drivers\SWNC5E00.sys
+ 2008-03-05 22:41 . 2008-03-05 22:41 149000 c:\windows\system32\drivers\swmx00.sys
+ 2007-09-06 23:30 . 2007-09-06 23:30 194048 c:\windows\system32\drivers\NWADIenum.sys
- 2007-03-06 22:34 . 2009-04-17 10:08 114688 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2007-03-06 22:34 . 2009-05-13 06:17 114688 c:\windows\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2006-12-02 08:25 . 2006-12-02 08:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 08:25 . 2006-12-02 08:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2003-03-19 06:12 . 2003-03-19 06:12 1047552 c:\windows\system32\MFC71u.dll
+ 2009-05-07 04:00 . 2006-11-13 22:36 1419232 c:\windows\system32\DRVSTORE\motport_6E9907B557DFD0C57184C5FEFA8B6A4C11EE1D9F\wdfcoinstaller01005.dll
+ 2009-05-07 04:00 . 2006-11-13 22:36 1419232 c:\windows\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\wdfcoinstaller01005.dll
+ 2009-05-07 04:00 . 2006-11-13 22:36 1419232 c:\windows\system32\DRVSTORE\motmodem_AE7DEB7AF0C9AC8D17C1D42149D2896F3DA98D76\wdfcoinstaller01005.dll
+ 2009-05-07 04:00 . 2006-11-13 22:36 1419232 c:\windows\system32\DRVSTORE\motccgp_426AB4577B75982B0A2CFB2F3F59DC7E2B59F95D\wdfcoinstaller01005.dll
+ 2007-06-05 06:53 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"cdloader"="c:\documents and settings\John Hancock\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-07-30 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 1585152]
"Piolet"="c:\program files\Piolet\Piolet.exe" [2007-04-13 5988352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-04-16 2044104]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-03-10 17672]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-22 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-10-10 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-16 335048]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2009 6:34 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/29/2009 5:42 PM 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/29/2009 5:42 PM 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/29/2009 5:42 PM 29776]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2009 6:34 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/29/2009 5:42 PM 361160]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/29/2009 5:42 PM 3049160]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c9b72abb9fd676;Google Update Service (gupdate1c9b72abb9fd676);c:\program files\Google\Update\GoogleUpdate.exe [4/6/2009 7:43 PM 133104]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [3/28/2009 7:15 AM 6656]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-17 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 02:42]

2009-05-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\John Hancock\Application Data\Mozilla\Firefox\Profiles\n4xju13y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 03:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2009-05-17 3:12
ComboFix-quarantined-files.txt 2009-05-17 10:12
ComboFix2.txt 2009-04-29 04:19
ComboFix3.txt 2009-04-28 05:59

Pre-Run: 4,263,817,216 bytes free
Post-Run: 5,116,235,776 bytes free

378 --- E O F --- 2009-05-15 16:27

HIJACK THIS FILE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:19 AM, on 5/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\John Hancock\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181019296906
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81EB6B36-A33C-4758-8AAA-143D93055C4F}: NameServer = 68.28.50.91 68.28.58.92
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1c9b72abb9fd676) (gupdate1c9b72abb9fd676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8985 bytes

#67 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 17 May 2009 - 05:53 PM

Hi Topband,

Let's see if that file is even on your computer. Please post the contents of

C:\Qoobox\ComboFix-quarantined-files.txt

Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Do not copy the word CODE note the script starts with the :
```
:regfind
proquota.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#68 topband

Authentic Member

Authentic Member
83 posts

Posted 17 May 2009 - 10:51 PM

HI OM ...here's the First thing you requested followed by system look ....pretty short i guess ...was that done right? thnx JH 2009-04-28 05:54:54 . 2009-05-17 10:08:24 12,275 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-04-28 05:47:11 . 2009-05-17 10:01:31 341 ----a-w C:\Qoobox\Quarantine\catchme.log 2009-03-29 18:13:26 . 2009-03-29 18:13:26 299,008 ----a-w C:\Qoobox\Quarantine\C\Program Files\Participatory Culture Foundation\Miro\xulrunner\nssckbi.dll.vir 2007-06-05 02:14:03 . 2005-06-18 09:48:46 19,968 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ss.sys.vir SystemLook v1.0 by jpshortstuff (24.04.09) Log created at 21:47 on 17/05/2009 by John Hancock (Administrator - Elevation successful) ========== regfind ========== Searching for "proquota.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\proquota.exe] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\proquota.exe] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\proquota.exe] -=End Of File=-

#69 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 18 May 2009 - 01:28 AM

Hi Topband,

Thanks for the log. I need one more

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Do not copy the word CODE note the script starts with the :
```
:filefind
proquota.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#70 topband

Authentic Member

Authentic Member
83 posts

Posted 18 May 2009 - 12:16 PM

Hi OM here is the log requested thnx jh SystemLook v1.0 by jpshortstuff (18.05.09) Log created at 11:12 on 18/05/2009 by John Hancock (Administrator - Elevation successful) ========== filefind ========== Searching for "proquota.exe" C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe --a--- 50176 bytes [00:12 14/04/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8 -=End Of File=-

Advertisements

Register to Remove

#71 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 18 May 2009 - 12:40 PM

Hi Topband,

Let's try this again,

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Do Not copy the word CODE

Fcopy::
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe | C:\WINDOWS\system32\proquota.exe

DEQUARANTINE::
C:\Qoobox\Quarantine\c\windows\system32\drivers\ss.sys.vir

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"=-

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Next

Try to submit that file again to VirScan

c\windows\system32\drivers\ss.sys

There should be 2 logs produced, please post both and the VirScan results.

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#72 topband

Authentic Member

Authentic Member
83 posts

Posted 20 May 2009 - 12:08 AM

Hi OM

Here are 3 logs ...combofix plus another one that showed up with that DEQUARANTINE and finally I think i got VERISCAN working this time except there was no SAVE to LOG (Clipboard) function that I saw ...thnx

jh

1) COMBOFIX

ComboFix 09-05-19.08 - John Hancock 05/19/2009 22:39.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.162 [GMT -7:00]
Running from: c:\documents and settings\John Hancock\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Hancock\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090519-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Participatory Culture Foundation\Miro\xulrunner\nssckbi.dll
c:\windows\system32\drivers\ss.sys

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 05:39 . 2008-04-14 00:12 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-19 16:01 . 2009-05-19 16:01 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-19 07:38 . 2009-05-19 07:38 -------- d-----w c:\documents and settings\John Hancock\Application Data\PCF-VLC
2009-05-18 06:27 . 2009-05-18 06:27 -------- d-----w c:\program files\Page Gorilla
2009-05-17 09:26 . 2009-05-17 09:26 -------- d-----w c:\program files\doubleTwist 2.0
2009-05-17 09:25 . 2009-05-17 09:25 -------- d-----w c:\documents and settings\John Hancock\Application Data\OpenCandy
2009-05-17 09:25 . 2009-05-17 09:25 -------- d-----w c:\documents and settings\John Hancock\Application Data\Participatory Culture Foundation
2009-05-17 09:24 . 2009-05-17 09:24 -------- d-----w c:\program files\Participatory Culture Foundation
2009-05-17 07:59 . 2009-05-17 07:59 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\tjnet
2009-05-17 07:38 . 2009-05-19 21:44 -------- d-----w c:\documents and settings\John Hancock\Application Data\mjusbsp
2009-05-07 04:06 . 2009-05-07 04:06 -------- d-----w c:\documents and settings\John Hancock\Application Data\Sprint
2009-05-07 04:01 . 2007-10-13 00:04 27072 ----a-w c:\windows\system32\drivers\PCASp50.sys
2009-05-07 04:00 . 2005-03-15 19:11 17920 ----a-w c:\windows\system32\apintfnt.dll
2009-05-07 04:00 . 2007-01-18 18:24 26496 ----a-r c:\windows\system32\drivers\RimSerial.sys
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Common Files\Motorola Shared
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w C:\Research in Motion
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Common Files\Research in Motion
2009-05-07 03:55 . 2009-05-07 04:00 -------- d-----w c:\program files\Sierra Wireless
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Novatel Wireless
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\documents and settings\All Users\Application Data\Sprint
2009-05-07 03:55 . 2009-05-07 03:55 -------- d-----w c:\program files\Sprint
2009-04-30 00:44 . 2009-04-30 00:44 -------- d-----w c:\documents and settings\John Hancock\Application Data\OnlineArmor
2009-04-30 00:44 . 2009-04-30 00:44 -------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-30 00:42 . 2009-04-16 12:49 31824 ----a-w c:\windows\system32\drivers\OAmon.sys
2009-04-30 00:42 . 2009-04-16 13:35 29776 ----a-w c:\windows\system32\drivers\OAnet.sys
2009-04-30 00:42 . 2009-04-16 12:49 196688 ----a-w c:\windows\system32\drivers\OADriver.sys
2009-04-30 00:42 . 2009-04-30 00:42 -------- d-----w c:\program files\Tall Emu
2009-04-29 22:16 . 2009-04-29 22:16 -------- d-----w c:\documents and settings\John Hancock\Application Data\InfraRecorder
2009-04-22 01:55 . 2009-04-22 01:55 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 05:24 . 2007-06-07 17:49 -------- d-----w c:\program files\Piolet
2009-05-17 04:28 . 2009-04-03 17:26 -------- d-----w c:\program files\Flock
2009-04-17 23:54 . 2009-04-17 07:14 -------- d-----w c:\program files\iTunes
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\iPod
2009-04-17 23:53 . 2009-04-17 23:51 -------- d-----w c:\program files\Common Files\Apple
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\Bonjour
2009-04-17 23:53 . 2009-04-17 23:52 -------- d-----w c:\program files\QuickTime
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\program files\Apple Software Update
2009-04-12 02:41 . 2009-04-12 02:41 62984 ----a-w c:\documents and settings\John Hancock\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 18:45 . 2007-03-09 21:33 -------- d-----w c:\program files\Party Expert File
2009-04-07 02:49 . 2007-06-05 03:49 -------- d-----w c:\program files\Google
2009-04-07 02:48 . 2007-09-15 19:06 -------- d-----w c:\program files\DivX
2009-04-07 02:43 . 2009-04-07 02:42 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-03 19:53 . 2009-04-03 19:53 -------- d-----w c:\program files\Trend Micro
2009-04-03 19:38 . 2009-04-03 19:31 68300 ----a-w c:\windows\hpoins05.dat
2009-04-03 19:37 . 2009-04-03 19:37 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-04-03 19:35 . 2009-04-03 19:34 -------- d-----w c:\program files\HP
2009-04-03 17:27 . 2009-04-03 17:27 0 ----a-w c:\windows\nsreg.dat
2009-04-03 02:40 . 2009-04-03 02:40 1172 ----a-w c:\windows\mozver.dat
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 01:34 . 2009-04-03 01:34 -------- d-----w c:\program files\Alwil Software
2009-03-28 14:15 . 2009-03-28 14:15 6656 ----a-w c:\windows\system32\drivers\iPodDrv.sys
2009-03-26 23:49 . 2009-04-03 01:37 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-04-03 01:37 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-19 23:32 . 2009-04-17 23:54 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:35 . 2009-04-07 02:46 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-07 02:46 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-07 02:46 43528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-02-24 19:35 . 2009-04-07 02:46 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-07 02:46 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-07 02:46 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-05-17_10.10.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 21:41 . 2009-05-19 21:41 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"cdloader"="c:\documents and settings\John Hancock\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-07-30 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 1585152]
"Piolet"="c:\program files\Piolet\Piolet.exe" [2007-04-13 5988352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-04-16 2044104]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-03-10 17672]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-22 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-10-10 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-16 335048]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Piolet\\Piolet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\John Hancock\\Application Data\\mjusbsp\\magicJack.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2009 6:34 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/29/2009 5:42 PM 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/29/2009 5:42 PM 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/29/2009 5:42 PM 29776]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2009 6:34 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/29/2009 5:42 PM 361160]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/29/2009 5:42 PM 3049160]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c9b72abb9fd676;Google Update Service (gupdate1c9b72abb9fd676);c:\program files\Google\Update\GoogleUpdate.exe [4/6/2009 7:43 PM 133104]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [3/28/2009 7:15 AM 6656]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 02:42]

2009-05-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\John Hancock\Application Data\Mozilla\Firefox\Profiles\n4xju13y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 22:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-20 22:46
ComboFix-quarantined-files.txt 2009-05-20 05:46
ComboFix2.txt 2009-05-17 10:12
ComboFix3.txt 2009-04-29 04:19
ComboFix4.txt 2009-04-28 05:59
C:\DeQuarantine.txt

Pre-Run: 4,010,840,064 bytes free
Post-Run: 4,193,435,648 bytes free

195 --- E O F --- 2009-05-18 17:15

THE SECOND LOG FROM COMBOFIX CALLED DEQUARANTINE

C:\Qoobox\Quarantine\c\windows\system32\drivers\ss.sys.vir -> c:\windows\system32\drivers\ss.sys ( 19968 bytes )

THE THIRD LOG FROM VERISCAN (I AM NOT SURE I DID THIS RIGHT BUT I THINK SO)

瑞网络电视3.26.exe (798720 ) Found nothing
483992C3EB1F375180C962AFEC26C472.DLL (116704 ) Found Virus.Win32.Agent.MDR!IK virus (28%)
73828E23130F4CE87684D1A5D1A03A1C (114688 ) Found Trojan-Downloader.Win32.VB.a... virus (36%)
aion.rar (858838 ) Found Trojan.Win32.Agent!IK virus (44%)
%28Prestige%29%C2%91j%C3%87%C3%B3%C2%B2%C2%BB%C2%9... (101937 ) Found nothing
Se4524r.rar (313507 ) Found Backdoor.Win32.Hupigon!IK virus (97%)
反捆绑工具.rar (1057552 ) Found nothing
test.exe (12800 ) Found nothing
5613f9e362bec23fd78cf927985572fb_kilss.exe (372664 ) Found Win-Trojan/Hupigon.372664 virus (68%)
ayssssmh120e2.exe (126976 ) Found Worm/Win32.Otwycal.g virus (2%)

#73 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 20 May 2009 - 01:15 AM

Hi Topband,

That didn't go quiet as planned. And that wasn't the right VirScan log. We'll do this again, with this script combofix won't target that file again.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Do Not copy the word CODE

DEQUARANTINE::
C:\Qoobox\Quarantine\c\windows\system32\drivers\ss.sys.vir

Quit::

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

There should only be a Dequarantine log this time.

For VirScan,

Here's the filename to copy and paste into the Suspicious files to scan box. Then click Upload If it tells you that the file has already been scanned, click Rescan

c:\windows\system32\drivers\ss.sys

after all 38 scanners have finished (it won't take more than 2-4 minutes), scroll down. Near the bottom you will see the big yellow clipboard button.

Post both logs.

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#74 topband

Authentic Member

Authentic Member
83 posts

Posted 20 May 2009 - 11:45 AM

Hi OM

seems to be zipping around faster than before ...but i will be test running it thru normal use and let you know how the outcomes are .... then i can develop a strategy for COMPUTER A (the main one i use ---newer /faster) but will have to do that with CD burned EXE files on the fix cuz it cant get online ...but i can get a HJT log ... or whatever you think is right ...i have moved here to california and havent got COMP A set up yet ...that'll be soon tho because there are some programs I need on there ... thank you for you ace help on these devices OM

JH

SCAN ONE

C:\Qoobox\Quarantine\c\windows\system32\drivers\ss.sys.vir ->

SCAN TWO

VirSCAN.org Scanned Report :
Scanned time : 2009/05/21 01:28:12 (CST)
Scanner results: All Scanners reported not find malware!
File Name : ss.sys
File Size : 19968 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 21017e14e92b65f157ae30be7badaf5e
SHA1 : c65ed5085b3c0af4797d4425ccaa5d87bd8b26e1
Online report : http://virscan.org/r...ae84f7836d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090520014101 2009-05-20 2.06 -
AhnLab V3 2009.05.20.02 2009.05.20 2009-05-20 0.69 -
AntiVir 8.2.0.168 7.1.4.2 2009-05-20 0.23 -
Antiy 2.0.18 20090520.2444633 2009-05-20 0.12 -
Arcavir 2009 200905200945 2009-05-20 0.03 -
Authentium 5.1.1 200905191838 2009-05-19 1.58 -
AVAST! 4.7.4 090519-0 2009-05-19 0.01 -
AVG 8.5.286 270.12.35/2124 2009-05-20 3.28 -
BitDefender 7.81008.3093648 7.25524 2009-05-20 2.88 -
CA (VET) 9.0.0.143 31.6.6512 2009-05-20 8.28 -
ClamAV 0.95 9375 2009-05-20 0.01 -
Comodo 3.9 1177 2009-05-20 0.71 -
CP Secure 1.1.0.715 2009.05.21 2009-05-21 9.22 -
Dr.Web 4.44.0.9170 2009.05.20 2009-05-20 4.55 -
F-Prot 4.4.4.56 20090519 2009-05-19 1.60 -
F-Secure 5.51.6100 2009.05.20.07 2009-05-20 5.47 -
Fortinet 2.81-3.117 10.412 2009-05-20 0.23 -
GData 19.5298/19.336 20090520 2009-05-20 4.25 -
ViRobot 20090520 2009.05.20 2009-05-20 0.41 -
Ikarus T3.1.01.49 2009.05.20.72744 2009-05-20 3.27 -
JiangMin 11.0.706 2009.05.20 2009-05-20 1.90 -
Kaspersky 5.5.10 2009.05.20 2009-05-20 0.05 -
KingSoft 2009.2.5.15 2009.5.20.18 2009-05-20 0.52 -
McAfee 5.3.00 5621 2009-05-20 2.90 -
Microsoft 1.4602 2009.05.20 2009-05-20 4.48 -
mks_vir 2.01 2009.05.20 2009-05-20 3.23 -
Norman 6.01.05 6.01.00 2009-05-20 4.00 -
Panda 9.05.01 2009.05.19 2009-05-19 1.63 -
Trend Micro 8.700-1004 6.140.04 2009-05-20 0.03 -
Quick Heal 10.00 2009.05.20 2009-05-20 1.21 -
Rising 20.0 21.30.20.00 2009-05-20 0.76 -
Sophos 2.86.0 4.41 2009-05-21 2.45 -
Sunbelt 5143 5143 2009-05-19 0.79 -
Symantec 1.3.0.24 20090519.034 2009-05-19 0.20 -
nProtect 20090520.01 3767316 2009-05-20 5.22 -
The Hacker 6.3.4.1 v00328 2009-05-20 0.64 -
VBA32 3.12.10.5 20090519.1455 2009-05-19 1.88 -
VirusBuster 4.5.11.10 10.105.33/1389174 2009-05-20 1.68 -

#75 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 20 May 2009 - 12:32 PM

Hi Topband,

You can remove combofix from this computer.

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /u

I'll be here when you are ready.

For your other computer, we'll start off with an OTLIST2 log

Download OTListIt2 to your desktop.

Double click on OTList2.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
hange the File Age to 90 Days
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

No need for a Hijackthis log this time.

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

Body Background

skin color theme

[Resolved] Malwarebytes not working Plus More

#61 topband

Advertisements

Register to Remove

#62 oldman960

#63 topband

#64 oldman960

#65 topband

#66 topband

#67 oldman960

#68 topband

#69 oldman960

#70 topband

Advertisements

Register to Remove

#71 oldman960

#72 topband

#73 oldman960

#74 topband

#75 oldman960

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Body Background

skin color theme

[Resolved] Malwarebytes not working Plus More

#61 topband

Advertisements Register to Remove

#62 oldman960

#63 topband

#64 oldman960

#65 topband

#66 topband

#67 oldman960

#68 topband

#69 oldman960

#70 topband

Advertisements Register to Remove

#71 oldman960

#72 topband

#73 oldman960

#74 topband

#75 oldman960

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Sign In

Advertisements

Register to Remove

Advertisements

Register to Remove