another Win32.TDSS.rtk infection

Status
Not open for further replies.
B

boss123b

New member
and spybot is the only one of 3 malware detection programs to report it. Good Job! I would appreciate you kind assistance. :confused: I have backed up my registry.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:16 AM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotDeletingA8093] command.com /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9862] cmd.exe /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA477] command.com /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3334] cmd.exe /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9286] command.com /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2500] cmd.exe /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4589] command.com /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1249] cmd.exe /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2587] command.com /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1980] cmd.exe /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1333] command.com /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD981] cmd.exe /c del "C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6806] command.com /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD611] cmd.exe /c del "C:\WINDOWS\system32\hjgruibqvdlllx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5285] command.com /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5856] cmd.exe /c del "C:\WINDOWS\system32\hjgruiwqkswlnt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3703] command.com /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8655] cmd.exe /c del "C:\WINDOWS\system32\hjgruidmlwblto.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3225] command.com /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2589] cmd.exe /c del "C:\WINDOWS\system32\hjgruilog.dat"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6592 bytes
 
Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:


  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.


Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

No Reply Within 4 Days Will Result In Your Topic Being Closed!!







STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

dds_scr.gif

Download DDS and save it to your desktop from:

Link 1
Link 2

Please disable any anti-malware program that will block scripts from running before running DDS.


  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



STEP 2


Gmer

Please download Gmer by Gmer and save it to your desktop.


  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.



Next Reply

Please reply with:

  • DDS.txt
  • Attach.txt
  • Gmer log
 
log files

thank you for your time and efforts Bio-Hazard it is greatly appreciated.:thanks:
DDS (Ver_09-07-30.01) - NTFSx86
Run by owner at 11:55:23.84 on Sat 08/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1394 [GMT -4:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE


GMER 1.0.15.15077 [f4kvo83k.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 12:35:17
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x20 srescan.sys B7DCAC90

Code 899448D8 ZwEnumerateKey
Code 89AF3248 ZwFlushInstructionCache
Code 89AD1AFE IofCallDriver
Code 8994381E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys (*** hidden *** ) [SYSTEM] hjgruipnxrjkyl <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl@imagepath \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main@aid 10097
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruicmd.dll \systemroot\system32\hjgruibqvdlllx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruilog.dat \systemroot\system32\hjgruidmlwblto.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgruiwsp.dll \systemroot\system32\hjgruiwqkswlnt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruipnxrjkyl\modules@hjgrui.dat \systemroot\system32\hjgruixtqsnswu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl@imagepath \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main@aid 10097
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruikdmixfqh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruicmd.dll \systemroot\system32\hjgruibqvdlllx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruilog.dat \systemroot\system32\hjgruidmlwblto.dat
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgruiwsp.dll \systemroot\system32\hjgruiwqkswlnt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruipnxrjkyl\modules@hjgrui.dat \systemroot\system32\hjgruixtqsnswu.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\hjgruikdmixfqh.sys 66560 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\hjgruibqvdlllx.dll 42496 bytes executable
File C:\WINDOWS\system32\hjgruidmlwblto.dat 350742 bytes
File C:\WINDOWS\system32\hjgruilog.dat 265 bytes
File C:\WINDOWS\system32\hjgruiwqkswlnt.dll 19456 bytes executable

---- EOF - GMER 1.0.15 ----


View attachment 3651
 
Download and Run ComboFix


  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2

    CF_download_FF.gif



    CF_download_rename.gif


  • Double click on Combo-Fix.exe and follow the prompts.
  • When finished, it will produce a report for you (C:\ComboFix.txt )
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.

    IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.

    Next Reply

    Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
 
Great!

cool! I thought I was going to have to do all that manually.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:34 PM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4391 bytes


ComboFix 09-08-28.06 - owner 08/29/2009 13:26.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1690 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\combo-fix.exe
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\4802907.msi
c:\windows\Installer\480290f.msi
c:\windows\Installer\4802917.msi
c:\windows\Installer\480291f.msi
c:\windows\Installer\4802927.msi
c:\windows\Installer\4802934.msi
c:\windows\Installer\480293c.msi
c:\windows\Installer\4802944.msi
c:\windows\Installer\480294c.msi
c:\windows\Installer\4802958.msi
c:\windows\Installer\4802960.msi
c:\windows\Installer\4802968.msi
c:\windows\Installer\4802970.msi
c:\windows\Installer\4802978.msi
c:\windows\Installer\4802980.msi
c:\windows\Installer\4802988.msi
c:\windows\Installer\4802990.msi
c:\windows\Installer\4802998.msi
c:\windows\Installer\48029a0.msi
c:\windows\Installer\48029a8.msi
c:\windows\Installer\48029b0.msi
c:\windows\Installer\c123c.msi
c:\windows\Installer\c1244.msi
c:\windows\Installer\c124c.msi
c:\windows\Installer\c1254.msi
c:\windows\Installer\c125c.msi
c:\windows\Installer\c1269.msi
c:\windows\Installer\c1271.msi
c:\windows\Installer\c1279.msi
c:\windows\Installer\c1281.msi
c:\windows\Installer\c128d.msi
c:\windows\Installer\c1295.msi
c:\windows\Installer\c129d.msi
c:\windows\Installer\c12a5.msi
c:\windows\Installer\c12ad.msi
c:\windows\Installer\c12b5.msi
c:\windows\Installer\c12bd.msi
c:\windows\Installer\c12c5.msi
c:\windows\Installer\c12cd.msi
c:\windows\Installer\c12d5.msi
c:\windows\Installer\c12dd.msi
c:\windows\Installer\c12e5.msi
c:\windows\system32\drivers\hjgruikdmixfqh.sys
c:\windows\system32\hjgruibqvdlllx.dll
c:\windows\system32\hjgruidmlwblto.dat
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruiwqkswlnt.dll
c:\windows\system32\hjgruixtqsnswu.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruipnxrjkyl
-------\Legacy_hjgruipnxrjkyl


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-29 05:09 . 2009-08-29 05:09 -------- d-----w- c:\program files\Windows Sidebar
2009-08-29 03:56 . 2009-08-29 03:56 -------- d-----w- c:\documents and settings\owner\Application Data\DivX
2009-08-28 10:58 . 2009-08-29 12:45 -------- d-----w- c:\documents and settings\owner\Application Data\dvdcss
2009-08-28 10:55 . 2009-08-29 12:45 -------- d-----w- c:\documents and settings\owner\Application Data\vlc
2009-08-28 10:49 . 2009-08-28 10:50 18015723 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.1-win32.exe
2009-08-28 10:47 . 2009-08-28 10:47 -------- d-----w- c:\windows\system32\custom matrices
2009-08-28 10:47 . 2009-08-28 10:47 -------- d-----w- c:\windows\system32\C2MP
2009-08-28 10:47 . 2009-08-28 10:47 -------- d-----w- c:\windows\system32\QuickTime
2009-08-28 10:41 . 2009-08-28 10:41 -------- d-----w- c:\program files\VideoLAN
2009-08-28 05:42 . 2009-08-29 07:58 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\QuickPar
2009-08-28 05:38 . 2009-08-28 05:39 -------- d-----w- c:\program files\QuickPar
2009-08-28 04:38 . 2009-08-28 04:38 -------- d-----w- c:\program files\Trend Micro
2009-08-28 04:35 . 2009-08-28 04:36 -------- d-----w- c:\program files\ERUNT
2009-08-26 10:04 . 2009-08-26 10:04 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-08-25 01:33 . 2009-08-25 01:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-25 00:00 . 2009-08-25 00:00 -------- d-----w- c:\documents and settings\owner\Application Data\NeroDigital(TM)
2009-08-24 22:39 . 2009-08-26 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 22:39 . 2009-08-24 22:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-24 17:16 . 2009-08-24 17:16 -------- d-----w- c:\documents and settings\owner\Application Data\CyberLink
2009-08-24 17:13 . 2009-08-24 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-24 17:11 . 2009-08-24 17:18 -------- d-----w- c:\program files\CyberLink
2009-08-24 17:08 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-08-24 04:56 . 2009-08-24 04:56 71256 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-24 04:54 . 2009-08-24 04:54 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Nero
2009-08-21 21:57 . 2009-08-21 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-21 20:35 . 2009-08-21 20:35 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 20:35 . 2009-08-21 20:35 -------- d-----w- c:\program files\MSBuild
2009-08-21 20:35 . 2009-08-21 20:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 20:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 20:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 20:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 20:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 20:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 20:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 20:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 20:32 . 2009-08-21 20:32 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-21 20:32 . 2009-08-21 20:32 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-21 20:25 . 2009-08-21 20:25 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2009-08-21 20:13 . 2009-08-21 20:13 -------- d-----w- c:\program files\DFX
2009-08-21 18:25 . 2009-08-23 20:43 -------- d-----w- c:\documents and settings\owner\Application Data\Nero
2009-08-21 18:22 . 2009-08-21 18:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-21 17:58 . 2009-08-29 05:08 -------- d-----w- c:\program files\Nero
2009-08-21 17:58 . 2009-08-29 05:09 -------- d-----w- c:\program files\Common Files\Nero
2009-08-21 17:58 . 2009-08-29 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-21 15:20 . 2009-08-21 15:20 -------- d-----w- c:\documents and settings\owner\Application Data\Earthsim
2009-08-21 15:07 . 2009-08-21 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Earthsim
2009-08-21 14:32 . 2009-08-21 14:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-21 14:31 . 2009-08-21 14:30 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-08-21 14:31 . 2009-08-21 14:30 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-08-21 14:29 . 2009-08-21 14:29 -------- d-----w- c:\program files\MasterSplitter
2009-08-21 14:06 . 2009-04-28 20:20 129520 ------w- c:\windows\system32\pxafs.dll
2009-08-21 14:06 . 2009-08-21 21:19 -------- d-----w- c:\documents and settings\owner\Application Data\Winamp
2009-08-21 14:06 . 2009-08-21 20:13 -------- d-----w- c:\program files\Winamp
2009-08-20 15:01 . 2009-08-20 15:01 -------- d-----w- c:\program files\Agent
2009-08-20 14:36 . 2009-08-29 14:29 -------- d-----w- C:\a1 Try These
2009-08-20 11:10 . 2009-08-21 13:46 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\MCataloguer
2009-08-20 11:03 . 2009-08-20 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-08-19 12:01 . 2009-08-19 12:01 -------- d-----w- c:\program files\MSXML 4.0
2009-08-19 08:31 . 2009-08-19 08:31 -------- d-----w- c:\program files\MCataloguer
2009-08-19 08:31 . 2009-08-19 08:31 -------- d-----w- c:\program files\MSXML 6.0
2009-08-19 03:53 . 2009-08-19 03:53 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-19 03:52 . 2009-08-19 03:53 -------- d-----w- c:\program files\Common Files\HP
2009-08-19 03:51 . 2009-08-19 03:51 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-19 03:46 . 2009-08-19 03:55 117094 ----a-w- c:\windows\hpoins11.dat
2009-08-18 19:21 . 2009-08-18 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-18 18:21 . 2009-08-18 18:21 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\IsolatedStorage
2009-08-18 18:21 . 2009-08-18 18:21 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\HP
2009-08-18 18:21 . 2009-08-18 18:21 128 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\fusioncache.dat
2009-08-18 18:20 . 2009-08-18 18:21 -------- d-----w- c:\documents and settings\owner\Application Data\HP
2009-08-18 18:12 . 2009-08-18 18:13 94084 ----a-w- c:\windows\hpqins07.dat
2009-08-18 18:11 . 2009-08-18 18:12 94237 ----a-w- c:\windows\hpqins04.dat
2009-08-18 18:10 . 2009-08-18 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-18 18:08 . 2009-08-18 18:10 94215 ----a-w- c:\windows\hpqins09.dat
2009-08-18 18:07 . 2009-08-18 18:08 94107 ----a-w- c:\windows\hpqins05.dat
2009-08-18 18:05 . 2009-08-18 18:07 94115 ----a-w- c:\windows\hpqins01.dat
2009-08-18 18:03 . 2009-08-18 18:04 94083 ----a-w- c:\windows\hpqins11.dat
2009-08-18 17:52 . 2009-08-18 17:52 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-18 17:51 . 2006-04-13 01:04 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-08-18 17:51 . 2006-04-13 01:04 49664 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-08-18 17:51 . 2006-01-04 09:12 77824 ----a-r- c:\windows\system32\HPZIDS01.dll
2009-08-18 17:51 . 2006-04-10 18:03 38400 ----a-w- c:\windows\system32\hpz3l054.dll
2009-08-18 17:50 . 2008-04-13 15:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-18 17:50 . 2008-04-13 15:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-18 17:48 . 2007-08-09 07:27 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2009-08-18 17:48 . 2006-03-04 01:03 282680 ----a-w- c:\windows\system32\HPZidr12.dll
2009-08-18 17:48 . 2006-03-04 01:03 65536 ----a-w- c:\windows\system32\HPZinw12.exe
2009-08-18 17:48 . 2006-03-04 01:02 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2009-08-18 17:48 . 2006-03-04 01:02 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2009-08-18 17:48 . 2006-03-04 01:02 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2009-08-18 17:47 . 2009-08-19 03:54 -------- d-----w- c:\program files\HP
2009-08-18 17:42 . 2008-04-13 15:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-08-18 17:42 . 2008-04-13 15:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-08-17 11:31 . 2009-08-21 20:32 -------- d-----w- c:\windows\system32\LogFiles
2009-08-16 12:25 . 2008-04-13 15:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-16 12:25 . 2008-04-13 15:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-16 12:25 . 2008-04-13 15:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-16 12:25 . 2008-04-13 15:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-16 12:21 . 2009-08-16 12:57 -------- d-----w- c:\program files\MultiViewer
2009-08-16 09:06 . 2009-08-16 09:06 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\ACD Systems
2009-08-16 09:06 . 2009-08-16 09:06 -------- d-----w- c:\documents and settings\owner\Application Data\ACD Systems
2009-08-16 09:04 . 2009-08-16 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-08-16 09:04 . 2009-08-20 22:32 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-08-16 09:04 . 2009-08-16 09:04 -------- d-----w- c:\program files\ACD Systems
2009-08-16 09:02 . 2009-08-20 16:26 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Downloaded Installations
2009-08-16 05:54 . 2009-08-16 05:54 -------- d-----w- c:\windows\Downloaded Installations
2009-08-16 05:51 . 2003-06-25 20:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2009-08-16 05:14 . 2009-08-16 05:14 -------- d-----w- c:\program files\SonicWallES
2009-08-16 05:12 . 2009-08-16 05:12 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Identities
2009-08-16 04:22 . 2009-08-16 04:22 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Google
2009-08-16 01:29 . 2009-08-29 04:35 -------- d-----r- c:\documents and settings\owner\Downloads
2009-08-15 12:43 . 2009-08-15 12:43 0 ----a-w- c:\windows\nsreg.dat
2009-08-15 12:43 . 2009-08-15 12:43 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Mozilla
2009-08-15 12:08 . 2009-08-15 12:08 -------- d-----w- c:\program files\ULI5287
2009-08-15 12:07 . 2005-03-10 01:01 28672 ----a-w- c:\windows\system32\unM5287.exe
2009-08-15 12:07 . 2001-11-14 04:24 35587 ----a-w- c:\windows\system32\rm5287.exe
2009-08-15 12:07 . 2005-04-06 20:54 28672 ----a-w- c:\windows\system32\UnLAN.exe
2009-08-15 12:07 . 2005-03-23 00:36 28672 ----a-w- c:\windows\system32\drivers\ULILAN51.SYS
2009-08-15 12:07 . 2001-11-14 01:24 35587 ----a-w- c:\windows\system32\rmlan.exe
2009-08-15 12:07 . 2001-11-14 01:24 34307 ----a-w- c:\windows\system32\drivers\Install.EXE
2009-08-15 12:07 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-08-15 12:07 . 2009-08-15 12:07 -------- d-----w- c:\windows\system32\URTTemp
2009-08-15 12:06 . 2009-08-15 12:06 -------- d-----w- c:\program files\ATI Technologies
2009-08-15 12:06 . 2009-08-24 17:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 12:05 . 2009-08-15 12:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-15 12:05 . 2004-08-14 10:56 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 17:31 . 2009-08-15 11:44 64361504 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-29 15:00 . 2009-08-15 11:42 144 ----a-w- c:\windows\system32\pdfl.dat
2009-08-28 03:30 . 2009-08-28 03:30 1930751 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-26 22:30 . 2009-08-15 11:46 -------- d-----w- c:\documents and settings\owner\Application Data\#ISW.FS#
2009-08-26 09:21 . 2009-08-26 09:24 2547200 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-23 14:40 . 2009-08-15 09:48 18888 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 17:37 . 2009-08-15 11:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-21 18:39 . 2009-08-15 11:44 854840 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-16 12:20 . 2009-08-16 12:20 -------- d-----w- c:\program files\Wireless Camera Watcher
2009-08-16 05:14 . 2009-08-15 11:46 -------- d-----w- c:\documents and settings\owner\Application Data\MailFrontier
2009-08-16 01:16 . 2009-08-15 11:42 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-15 11:53 . 2009-08-15 11:53 -------- d-----w- c:\program files\microsoft frontpage
2009-08-15 11:51 . 2009-08-15 11:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-15 11:46 . 2009-08-15 11:46 -------- d-----w- c:\documents and settings\owner\Application Data\CheckPoint
2009-08-15 11:42 . 2009-08-15 11:42 80 ----a-w- c:\windows\system32\ibfl.dat
2009-08-15 11:42 . 2009-08-15 11:42 144 ----a-w- c:\windows\system32\lkfl.dat
2009-08-15 11:42 . 2009-08-15 11:42 -------- d-----w- c:\program files\CheckPoint
2009-08-15 11:42 . 2009-08-15 11:42 -------- d-----w- c:\program files\Zone Labs
2009-08-15 11:28 . 2009-08-15 11:27 -------- d-----w- c:\program files\ASUS
2009-08-15 11:26 . 2009-08-15 11:26 -------- d-----w- c:\program files\Realtek
2009-08-15 11:25 . 2009-08-15 11:25 -------- d-----w- c:\program files\AMD
2009-08-15 11:21 . 2009-08-15 10:29 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-15 11:21 . 2009-08-15 10:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-15 11:21 . 2009-08-15 11:21 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-15 11:21 . 2009-08-15 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-15 10:20 . 2009-08-15 11:52 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-08-11 20:21 . 2009-08-11 20:21 87552 ----a-w- c:\windows\system32\ac3config.exe
2009-08-05 09:01 . 2009-08-15 09:24 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:58 . 2009-08-04 15:58 802603 ----a-w- c:\windows\system32\ff_x264.dll
2009-08-04 15:57 . 2009-08-04 15:57 557003 ----a-w- c:\windows\system32\libmplayer.dll
2009-08-04 13:07 . 2009-08-04 13:07 4455179 ----a-w- c:\windows\system32\libavcodec.dll
2009-07-29 23:10 . 2009-07-29 23:10 829781 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-29 04:37 . 2001-08-18 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-08-15 11:19 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-14 18:54 . 2009-08-15 11:19 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-14 18:54 . 2009-08-15 11:19 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-07-14 18:54 . 2009-08-15 10:28 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2008-07-31 12:49 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-07-14 18:54 . 2008-07-26 04:48 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-07-14 18:54 . 2008-07-26 04:48 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2008-07-26 04:48 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-07-14 18:54 . 2008-07-26 04:48 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-14 18:54 . 2004-08-04 07:56 5842816 ----a-w- c:\windows\system32\nv4_disp.dll
2009-07-14 18:54 . 2004-08-04 05:29 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 17:35 . 2009-07-14 17:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 17:35 . 2009-07-14 17:35 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-07-14 17:35 . 2009-07-14 17:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-07-14 17:35 . 2009-07-14 17:35 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-07-14 17:34 . 2009-07-14 17:34 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 17:34 . 2009-07-14 17:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-07-14 17:34 . 2009-07-14 17:34 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-07-14 17:34 . 2009-07-14 17:34 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-07-14 17:34 . 2009-07-14 17:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-07-14 17:34 . 2009-07-14 17:34 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-07-14 17:34 . 2009-07-14 17:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 17:34 . 2009-07-14 17:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-07-14 17:34 . 2009-07-14 17:34 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-07-14 13:19 . 2009-07-14 13:19 425040 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-07-14 12:31 . 2009-07-14 12:31 146098 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 11:01 . 2009-08-15 10:28 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-03 17:09 . 2001-08-18 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2009-06-26 16:50 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2001-08-18 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2001-08-18 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2001-08-18 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2001-08-18 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2001-08-18 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2001-08-18 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2001-08-18 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2001-08-18 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2001-08-18 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2001-08-18 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-08-15 11:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2001-08-18 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2009-08-15 09:24 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:35 . 2009-06-02 17:35 328334 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-06-02 17:15 . 2009-06-02 17:15 113152 ----a-w- c:\windows\system32\ff_unrar.dll
2009-06-02 17:15 . 2009-06-02 17:15 146944 ----a-w- c:\windows\system32\ff_tremor.dll
2009-06-02 17:15 . 2009-06-02 17:15 183296 ----a-w- c:\windows\system32\ff_samplerate.dll
2009-06-02 17:14 . 2009-06-02 17:14 178688 ----a-w- c:\windows\system32\ff_libmad.dll
2009-06-02 17:14 . 2009-06-02 17:14 486400 ----a-w- c:\windows\system32\ff_libfaad2.dll
2009-06-02 17:13 . 2009-06-02 17:13 257024 ----a-w- c:\windows\system32\ff_libdts.dll
2009-06-02 17:13 . 2009-06-02 17:13 142848 ----a-w- c:\windows\system32\ff_liba52.dll
2009-06-02 17:11 . 2009-06-02 17:11 98304 ----a-w- c:\windows\system32\ff_wmv9.dll
2009-06-02 17:11 . 2009-06-02 17:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ULiRaid"="c:\program files\ULI5287\ULiRaid.exe" [2005-08-24 409600]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"DU Meter"="d:\du meter\DUMETER.EXE" [2001-01-22 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-07-14 14679552]

c:\documents and settings\owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [12/31/1979 8:00 PM 101120]
R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/17/2009 4:11 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/17/2009 4:11 AM 394632]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [8/15/2009 8:07 AM 28672]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [4/17/2009 4:11 AM 54928]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?ncid=toolbar
mStart Page =
Handler: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - c:\program files\MCataloguer\MCatProt.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\mozilla\firefox\profiles\xevmfdd3.default\

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-08-29 13:32
ComboFix-quarantined-files.txt 2009-08-29 17:32

Pre-Run: 280,628,199,424 bytes free
Post-Run: 282,270,347,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /bootlog

431 --- E O F --- 2009-08-26 23:02
 
Hello!

Do you know what is in this folder C:\a1 Try These?

Antivirus

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:




It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.



Remove HijackThis entries


  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.




Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:


  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.





ATF-Cleaner

Please download ATF Cleaner by Atribune.


  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.




Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Please go here then click on:
    EOLS1.gif

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
    Click to expand...
  • Select the option YES, I accept the Terms of Use then click on:
    EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:


    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
    EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
    EOLS4.gif
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Note: Do not forget to re-enable your Anti-Virus application after running the above scan!



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • Reply to my question
  • Hijackthis uninstall list
  • ESET log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
 
Logs

The directory you asked about is my quarrantine directory where I copy files from other hard drives that I don't immediately recognize. From here programs are deleted unless I absolutely trust the source. I frequently swap in other hard drives. I will download entire newsgroups and go through them sometimes years later. I'm normally very careful. I have been using the internet since it was a dos prompt and this is my first ever infection.
I am using zone alarm extreme security suite so I do have antivirus/spyware protection. However I am disappointed in the vendor they chose for this part of the suite.
FYI anyone using ZA's browser security must open an unprotected browser in addition to turning off antivirus and spyware. Otherwise you get an error about not having administrator rights even if you are an administrator.
The PC is running fine. no more misdirects or not being able to use certain programs. Is this particular nasty just a browser hijacker or do I need to worry about keylogging passwords and credit cards too?


Logs follow: uninstall


Advertising Center
AOL Toolbar
AsusUpdate
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
Cool & Quiet
DFX 8 for Winamp
DolbyFiles
Download Updater (AOL LLC)
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Software Update
HP Solution Center 7.0
Magnifier Powertoy for Windows XP
MCataloguer
Media Player Codec Pack 3.7.0
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
MultiViewer
Nero 9 Trial
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero Live
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
NeroLiveGadget
neroxml
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OCR Software by I.R.I.S 7.0
PC Probe II
PowerDVD
QuickPar 0.9
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SoundTrax
Spybot - Search & Destroy
Tweak UI
ULi M5287 SATA Controller Driver
ULi PCI 10-100 Fast Ethernet Controller Driver
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
USB2.0 Capture Device
VC 9.0 Runtime
VLC media player 1.0.1
Winamp
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wireless Camera Watcher
ZoneAlarm Extreme Security


online scan:

C:\Documents and Settings\owner\Downloads\Nero-9.4.13.2b_trial.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\owner\Downloads\Nero-9.4.13.2c_update.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\owner\Downloads\Nero-9.4.13.2d_trial.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\owner\Downloads\nero9.exe Win32/Toolbar.AskSBar application
D:\agent\Video tools\windows media recorder 10.2\patch.exe a variant of Win32/HackTool.Patcher.A application
F:\ACDC\TEMP\Nero Multi Keygenerator.exe probably a variant of Win32/SdBot trojan
F:\dvd\alt.binaries.boneless\NewsBin Pro 5.35.rar probably a variant of Win32/Agent trojan
F:\dvd\d4d.cc - martijny post - QuickTime Pro 7.20\d4d.cc - martijny post - QuickTime Pro 7.20\keymaker.exe probably a variant of Win32/Agent trojan
F:\dvd\LasVegas casino Masters\LasVegas casino Masters.iso a variant of Win32/Adware.Casino application
F:\xp downloads\Nero-7.8.5.0_eng_update.exe Win32/Toolbar.AskSBar application
G:\agent download\alt.binaries.boneless\Lucky Casino Delux 2007\Lucky Casino Delux 2007.iso a variant of Win32/Adware.Casino application
G:\agent download\alt.binaries.boneless\Nero 8 Full\Nero 8 Full\Nero 8 Latest Version\Nero-8.1.1.4_eng_trial.exe Win32/Toolbar.AskSBar application
G:\agent download\alt.binaries.boneless\Nero 8 Full\Nero 8 Full\Nero 8 NL\Nero 8 NL.iso Win32/Toolbar.AskSBar application
G:\agent download\alt.binaries.boneless\Nero.v8.1.1.4.Ultra.Edition\Nero.v8.1.1.4.Ultra.Edition\Nero.v8.1.1.4.Ultra.Edition\Nero-8.1.1.4_eng_trial.exe Win32/Toolbar.AskSBar application


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:03 AM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol toolbar\aoltbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5158 bytes
 
Is this particular nasty just a browser hijacker or do I need to worry about keylogging passwords and credit cards too?
Click to expand...
You dont have to be worried about your passwords or your credit card details. This infection blocks lot of tools we use and it is pain in the neck.

You need to delete this file: F:\ACDC\TEMP\Nero Multi Keygenerator.exe

Lets make sure everything ok before i will give all clear.

ATF-Cleaner


  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.



Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.



  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • Malwarebytes Antimalware log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
 
logs

Hello,
The system seems to be running fine. No issues that I can notice.


Malwarebytes' Anti-Malware 1.40
Database version: 2722
Windows 5.1.2600 Service Pack 3

9/1/2009 12:16:40 AM
mbam-log-2009-09-01 (00-16-40).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 507049
Time elapsed: 2 hour(s), 57 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{02DBBC02-FE97-4A59-B24F-2A426B27E4DD}\RP218\A0331532.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{5C58B51C-A324-4792-AFA8-802275A26B96}\RP806\A0323037.exe (Backdoor.Sdbot) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{FE89B679-31AF-424A-BE74-EC57E4402084}\RP55\A0013378.exe (Backdoor.Sdbot) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{02DBBC02-FE97-4A59-B24F-2A426B27E4DD}\RP216\A0308375.exe (Trojan.Agent) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:27 AM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\ULI5287\ULiRaid.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\DU Meter\DUMETER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol toolbar\aoltbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULI5287\ULiRaid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMETER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250327666185
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: mcataloguer - {FECF9894-CCCF-4DE3-B994-AEE32E70B341} - C:\Program Files\MCataloguer\MCatProt.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5158 bytes
 
Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:

  • DDS - (You can just delete the exe file from your desktop)
  • ATF cleaner - (You can just delete the exe file from your desktop)
  • ERUNT - (You can uninstall it from Add/Remove Programs)



Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
CF_Cleanup.png

Please advise if this step is missed for any reason as it performs some important actions.

OTC

Download OTC by Old Timer and save it to your Desktop.


  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.



Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.


  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera or Google Chrome


Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
 
Thank You!

All you have suggested is done. I hope I never need your services again but I greatly appreciate and admire your selflessness and dedication to this problem. Keep fighting the good fight and Bless you!
 
Thank you for your kind words.

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
Status
Not open for further replies.
Back
Top