Active Bad Google Redirect, startup window "cannot find logon.exe"

loogoldham · 2009/12/01

[Active] Bad Google Redirect, startup window "cannot find logon.exe "

Hi: I am posting because I have some kind of trojan horse/malware/bad thing on my computer. I tried Zone Alarm and AdAware and they couldn't get rid of it. I also tried run-regedit to stop logon.exe from loading at startup and it wasn't listed.

2 known issues:
1) Do a google search, click on the link, and redirected 2-3 times and end up on a random site. Only happening in Firefox right now
2) Every time I start up the computer, I get a grey pop up window saying "Windows cannot find 'logon.exe' ... "

Adaware log below. DDS logs in next posting.

THANK YOU FOR YOUR HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!

------------------------------------------------
------------------------------------------------
------------------------------------------------
ADAWARE LOG

Logfile created: 12/1/2009 11:58:47
Lavasoft Ad-Aware version: 8.1.2
User performing scan: Mr. B

*********************** Definitions database information ***********************
Lavasoft definition file: 149.105
Genotype definition file version: Unknown

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 17278
Objects detected: 14

Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 14
Browser hijacks.: 0
MRU objects.....: 0

Removed items:
Description: *casalemedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409152 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0
Description: *indextools* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409194 Family ID: 0
Description: *live365* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408844 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0
Description: *live365* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408844 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0

Scan and cleaning complete: Finished correctly after 353 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: folderstoscan, enabled:1, value:
ID: useantivirus, enabled:0, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true
ID: heuristicslevel, enabled:1, value: mild, domain: medium,mild,strict

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: dontcheck, domain: dontcheck,downloadandinstall
ID: softwareupdates, enabled:1, value: dontcheck, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: dontcheck, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:0, value: Daily 1
ID: time, enabled:0, value: Tue Dec 01 11:06:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily2, enabled:0, value: Daily 2
ID: time, enabled:0, value: Tue Dec 01 17:06:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily3, enabled:0, value: Daily 3
ID: time, enabled:0, value: Tue Dec 01 23:06:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily4, enabled:0, value: Daily 4
ID: time, enabled:0, value: Tue Dec 01 05:06:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Tue Dec 01 11:06:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: true
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: true
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:0, value: false
ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: modules, enabled:1
ID: processprotection, enabled:1, value: false
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: layers, enabled:1
ID: useantivirus, enabled:0, value: false
ID: usespywareheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant

****************************** System information ******************************
Computer name: 2006DELL
Processor name: Intel(R) Pentium(R) D CPU 2.80GHz
Processor identifier: x86 Family 15 Model 4 Stepping 7
Processor speed: ~2793MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 1031, number of processors 2, processor features: [MMX,SSE,SSE2]
Physical memory available: 326094848 bytes
Physical memory total: 1071722496 bytes
Virtual memory available: 1999785984 bytes
Virtual memory total: 2147352576 bytes
Memory load: 69%
Microsoft Windows XP Professional Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 620 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 676 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 708 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 760 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 772 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 960 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1004 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1148 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1276 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1328 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1456 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1560 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1604 name: C:\WINDOWS\system32\ZoneLabs\vsmon.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1872 name: C:\WINDOWS\Explorer.exe owner: Mr. B domain: 2006DELL
PID: 252 name: C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 436 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 512 name: C:\Program Files\CheckPoint\ZAForceField\ForceField.exe owner: Mr. B domain: 2006DELL
PID: 1252 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1352 name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1416 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1472 name: C:\WINDOWS\system32\CTsvcCDA.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1680 name: C:\WINDOWS\eHome\ehRecvr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1804 name: C:\WINDOWS\eHome\ehSched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 176 name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 1140 name: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1508 name: C:\WINDOWS\system32\tcpsvcs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 212 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2456 name: C:\WINDOWS\system32\dllhost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2828 name: C:\WINDOWS\ehome\ehtray.exe owner: Mr. B domain: 2006DELL
PID: 3076 name: C:\WINDOWS\eHome\ehmsas.exe owner: Mr. B domain: 2006DELL
PID: 3132 name: C:\WINDOWS\stsystra.exe owner: Mr. B domain: 2006DELL
PID: 3164 name: C:\Program Files\Dell\Media Experience\DMXLauncher.exe owner: Mr. B domain: 2006DELL
PID: 3256 name: C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe owner: Mr. B domain: 2006DELL
PID: 3332 name: C:\WINDOWS\system32\Rundll32.exe owner: Mr. B domain: 2006DELL
PID: 3456 name: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe owner: Mr. B domain: 2006DELL
PID: 3500 name: C:\DOCUME~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001 owner: Mr. B domain: 2006DELL
PID: 3520 name: C:\WINDOWS\System32\DLA\DLACTRLW.EXE owner: Mr. B domain: 2006DELL
PID: 3540 name: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE owner: Mr. B domain: 2006DELL
PID: 3628 name: C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe owner: Mr. B domain: 2006DELL
PID: 3756 name: C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe owner: SYSTEM domain: NT AUTHORITY
PID: 744 name: C:\Program Files\iTunes\iTunesHelper.exe owner: Mr. B domain: 2006DELL
PID: 1692 name: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2580 name: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe owner: Mr. B domain: 2006DELL
PID: 1208 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3892 name: C:\Program Files\Mozilla Firefox\firefox.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 3736 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3144 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1052 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 732 name: C:\WINDOWS\system32\wuauclt.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3024 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Mr. B domain: 2006DELL
PID: 508 name: C:\WINDOWS\system32\wuauclt.exe owner: Mr. B domain: 2006DELL
PID: 1736 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Mr. B domain: 2006DELL

Startup items:
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: ehTray
imagepath: C:\WINDOWS\ehome\ehtray.exe
Name: SigmatelSysTrayApp
imagepath: stsystra.exe
Name: DMXLauncher
imagepath: C:\Program Files\Dell\Media Experience\DMXLauncher.exe
Name: CTSysVol
imagepath: C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
Name: MBMon
imagepath: Rundll32 CTMBHA.DLL,MBMon
Name: ISUSPM Startup
imagepath: "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
Name: ISUSScheduler
imagepath: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
Name: DLA
imagepath: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
Name: EPSON Stylus CX4200 Series
imagepath: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200 "
Name: CTCheck
imagepath: C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
Name: UpdReg
imagepath: C:\WINDOWS\UpdReg.EXE
Name: MSKDetectorExe
imagepath: C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
Name: AppleSyncNotifier
imagepath: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
Name: iTunesHelper
imagepath: "C:\Program Files\iTunes\iTunesHelper.exe "
Name: ZoneAlarm Client
imagepath: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
Name: ISW
imagepath: "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon= "hidden "
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Name: MSConfig
imagepath: C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: SysNet
imagepath: {A306FCA7-D1CE-4A80-B97A-E5B1DE8B98FE}
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: Ati HotKey Poller
displayname: Ati HotKey Poller
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: Bonjour Service
Name: COMSysApp
displayname: COM+ System Application
Name: Creative Labs Licensing Service
displayname: Creative Labs Licensing Service
Name: Creative Service for CDROM Access
displayname: Creative Service for CDROM Access
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: Dnscache
displayname: DNS Client
Name: ehRecvr
displayname: Media Center Receiver Service
Name: ehSched
displayname: Media Center Scheduler Service
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: helpsvc
displayname: Help and Support
Name: iPod Service
displayname: iPod Service
Name: IswSvc
displayname: ZoneAlarm Toolbar IswSvc
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: MDM
displayname: Machine Debug Manager
Name: MSSQL$MICROSOFTSMLBIZ
displayname: MSSQL$MICROSOFTSMLBIZ
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RemoteRegistry
displayname: Remote Registry
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: SimpTcp
displayname: Simple TCP/IP Services
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: vsmon
displayname: TrueVector Internet Monitor
Name: w32time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wuauserv
displayname: Automatic Updates
Name: WudfSvc
displayname: Windows Driver Foundation - User-mode Driver Framework
Name: WZCSVC
displayname: Wireless Zero Configuration
------------------------------------------------
------------------------------------------------
------------------------------------------------

loogoldham · 2009/12/01

DDS.TXT

DDS (Ver_09-12-01.01) - NTFSx86
Run by Mr. B at 12:06:52.10 on Tue 12/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.352 [GMT -8:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mr. B\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Shell=Explorer.exe logon.exe
BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - &Yahoo! Toolbar Helper
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: {376892AE-1825-4E5F-9F85-23F9640051CC} - No File
BHO: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - Yahoo! IE Services Button
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [EPSON Stylus CX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus

CX4200 "
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe "
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon= "hidden "
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SysNet - {A306FCA7-D1CE-4A80-B97A-E5B1DE8B98FE} -
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mrc6ce~1.b\applic~1\mozilla\firefox\profiles\uruunfbj.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-21 128016]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-1 64288]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-21 317072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-12-17 486280]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
S?2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-12-01 20:04:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-01 19:07:04 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-01 19:05:39 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-12-01 19:00:11 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-01 18:47:46 205 ----a-w- C:\~TaxUnin.bat
2009-12-01 04:57:29 0 d-----w- c:\docume~1\mrc6ce~1.b\applic~1\CheckPoint
2009-11-22 01:07:26 0 d-----w- c:\program files\CheckPoint
2009-11-22 01:07:21 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-11-09 01:34:27 0 d-----w- c:\program files\iPod
2009-11-09 01:34:06 0 d-----w- c:\program files\iTunes
2009-11-07 06:52:39 51197 ----a-w- c:\windows\spoov.exe
2009-11-07 06:52:39 47872 ----a-w- c:\windows\certsystem.exe
2009-11-07 06:52:39 38352 ----a-w- c:\windows\regred.exe
2009-11-07 06:52:39 33149 ----a-w- c:\windows\usexplorer.exe
2009-11-07 06:52:39 28320 ----a-w- c:\windows\securits.com
2009-11-07 06:52:39 18941 ----a-w- c:\windows\microsoftdef.dll
2009-11-07 06:52:37 0 d-----w- c:\documents and settings\all users\Microsoft AData

==================== Find3M ====================

2009-12-01 19:39:55 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-12 20:44:27 15360 ----a-w- c:\windows\system32\logoff.exe
2009-11-12 20:44:27 15360 ----a-w- c:\windows\system32\dllcache\logoff.exe
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-17 09:39:40 72584 ----a-w- c:\windows\zllsputility.exe
2009-10-17 09:39:32 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2006-11-25 22:59:43 88 --sh--r- c:\windows\system32\0DE7710C42.sys
2006-11-25 22:59:45 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:09:24.06 ===============

loogoldham · 2009/12/01

ATTACH.TXT

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/5/2006 10:32:13 PM
System Uptime: 12/1/2009 11:21:57 AM (1 hours ago)

Motherboard: Dell Inc. | | 0HJ054
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 38.644 GiB free.
D: is CDROM (UDF)
F: is FIXED (NTFS) - 233 GiB total, 74.408 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP122: 9/1/2009 9:43:28 PM - System Checkpoint
RP123: 9/3/2009 10:39:31 AM - System Checkpoint
RP124: 9/4/2009 12:25:40 PM - System Checkpoint
RP125: 9/5/2009 4:04:11 PM - System Checkpoint
RP126: 9/7/2009 10:06:24 AM - System Checkpoint
RP127: 9/9/2009 7:06:26 AM - System Checkpoint
RP128: 9/9/2009 9:00:27 PM - Software Distribution Service 3.0
RP129: 9/9/2009 9:51:58 PM - Software Distribution Service 3.0
RP130: 9/9/2009 10:06:03 PM - Software Distribution Service 3.0
RP131: 9/11/2009 7:19:46 AM - System Checkpoint
RP132: 9/12/2009 9:31:12 AM - System Checkpoint
RP133: 9/25/2009 8:47:45 PM - System Checkpoint
RP134: 9/27/2009 12:32:12 PM - System Checkpoint
RP135: 9/28/2009 5:04:48 PM - System Checkpoint
RP136: 9/30/2009 9:41:58 AM - System Checkpoint
RP137: 10/1/2009 10:16:14 AM - System Checkpoint
RP138: 10/2/2009 1:11:13 PM - System Checkpoint
RP139: 10/3/2009 3:59:15 PM - System Checkpoint
RP140: 10/4/2009 4:35:29 PM - System Checkpoint
RP141: 10/6/2009 9:59:06 AM - System Checkpoint
RP142: 10/7/2009 12:52:38 PM - System Checkpoint
RP143: 10/8/2009 2:17:42 PM - System Checkpoint
RP144: 10/9/2009 2:37:34 PM - System Checkpoint
RP145: 10/10/2009 3:27:44 PM - System Checkpoint
RP146: 10/11/2009 3:31:33 PM - System Checkpoint
RP147: 10/12/2009 3:37:49 PM - System Checkpoint
RP148: 10/13/2009 5:31:20 PM - Software Distribution Service 3.0
RP149: 10/14/2009 9:27:22 PM - System Checkpoint
RP150: 10/16/2009 9:05:35 AM - System Checkpoint
RP151: 10/18/2009 9:17:43 AM - System Checkpoint
RP152: 10/19/2009 9:53:34 AM - System Checkpoint
RP153: 10/20/2009 1:30:39 PM - System Checkpoint
RP154: 10/21/2009 5:16:57 PM - System Checkpoint
RP155: 10/22/2009 8:30:14 PM - System Checkpoint
RP156: 10/23/2009 9:26:15 PM - System Checkpoint
RP157: 11/7/2009 12:13:33 PM - System Checkpoint
RP158: 11/7/2009 9:00:16 PM - Software Distribution Service 3.0
RP159: 11/9/2009 10:23:29 AM - System Checkpoint
RP160: 11/10/2009 1:45:33 PM - System Checkpoint
RP161: 11/12/2009 8:09:42 PM - System Checkpoint
RP162: 11/14/2009 11:43:03 AM - System Checkpoint
RP163: 11/15/2009 11:58:38 AM - System Checkpoint
RP164: 11/15/2009 9:00:20 PM - Software Distribution Service 3.0
RP165: 11/17/2009 11:58:23 AM - System Checkpoint
RP166: 11/18/2009 12:23:01 PM - System Checkpoint
RP167: 11/19/2009 1:49:19 PM - System Checkpoint
RP168: 11/20/2009 4:12:49 PM - System Checkpoint
RP169: 11/21/2009 6:43:48 PM - System Checkpoint
RP170: 11/22/2009 7:40:15 PM - System Checkpoint
RP171: 11/23/2009 9:28:32 PM - System Checkpoint
RP172: 11/30/2009 8:35:24 AM - System Checkpoint
RP173: 12/1/2009 10:51:54 AM - Made by Registry Mechanic
RP174: 12/1/2009 10:53:23 AM - Made by Registry Mechanic
RP175: 12/1/2009 11:57:34 AM - Made by Registry Mechanic

==== Installed Programs ======================

Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Premiere 6.0
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AudibleManager
Bonjour
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Creative MediaSource
Creative System Information
Creative ZEN
Critical Update for Windows Media Player 11 (KB959772)
Daniusoft WMA MP3 Converter(Build 2.1.0)
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Dell System Restore
Digital Content Portal
Digital Line Detect
DivX 5.0.2 Bundle
Documentation & Support Launcher
ELIcon
EPSON Printer Software
EPSON Scan
Games, Music, & Photos Launcher
GemMaster Mystic
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Image Grabber 3.0.1
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Ipswitch WS_FTP LE
iTunes
J2SE Runtime Environment 5.0 Update 6
MCU
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MobileMe Control Panel
Modem Helper
Mozilla Firefox (3.5.5)
MP3 Player Recovery Tool
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NetWaiting
PokerStars.net
QuickTime
Registry Mechanic 6.0
Rhapsody
Rhapsody Player Engine
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sid Meier's Civilization 4
Sonic Activation Module
Sonic Advanced Decoder
Sonic Encoders
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC 9.0 Runtime
VideoLAN VLC media player 0.8.5
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Toolbar
ZENcast Organizer
ZoneAlarm Anti-virus
ZoneAlarm Toolbar

==== Event Viewer Messages From Past Week ========

12/1/2009 11:12:17 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning

COM Service service to connect.
12/1/2009 11:12:17 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to

the following error: The service did not respond to the start or control request in a timely fashion.
11/30/2009 8:19:06 AM, error: Dhcp [1002] - The IP address lease 70.180.217.189 for the Network Card with network address

001372E51D93 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/29/2009 7:21:46 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has

done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/29/2009 7:13:47 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this

1 time(s).
11/29/2009 4:52:45 PM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 70.180.217.189, since the IP

address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the

DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the

scope.
11/25/2009 7:23:56 AM, error: Service Control Manager [7001] - The Media Center Extender Service service depends on the SSDP

Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is

disabled or because it has no enabled devices associated with it.
11/25/2009 7:23:45 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually

configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation

was attempted to an unreachable host. (0x80072751)
11/25/2009 7:23:08 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot

partition and that is large enough to contain all physical memory.
11/25/2009 7:23:08 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
11/24/2009 7:16:53 AM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 68.224.108.188, since the IP

address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the

DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the

scope.
11/24/2009 7:04:00 AM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the

SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it

is disabled or because it has no enabled devices associated with it.
11/24/2009 7:04:00 AM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.100.11, since the IP

address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the

DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the

scope.
11/24/2009 7:04:00 AM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service upnphost with arguments " "

in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
11/24/2009 7:02:40 AM, error: Dhcp [1002] - The IP address lease 68.224.108.188 for the Network Card with network address

001372E51D93 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/24/2009 3:31:01 PM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers

from the registry. The data is the error code.

==== End Of File ===========================

loogoldham · 2009/12/01

FYI: I tried posting dds.txt but it said it needed admin approval before appearing

broni · 2009/12/01

Please download [color= "#FF0000"]GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.

To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).

When prompted to run the scan, click Yes.

GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

loogoldham · 2009/12/01

Thank you for your quick response, Broni.

GooredFix by jpshortstuff (27.11.09.1)
Log created at 20:40 on 01/12/2009 (Mr. B)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [07:18 06/09/2006]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{FFB96CC1-7EB3-449D-B827-DB661701C6BB} "= "C:\Program Files\CheckPoint\ZAForceField\TrustChecker" [01:07 22/11/2009]

-=E.O.F=-

broni · 2009/12/01

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

loogoldham · 2009/12/02

COMBOFIX LOG

ComboFix 09-12-01.01 - Mr. B 12/01/2009 22:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.639 [GMT -8:00]
Running from: c:\documents and settings\Mr. B\Desktop\ComboFix.exe
AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft AData
c:\documents and settings\All Users\Microsoft AData\t.sid
c:\windows\certsystem.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\microsoftdef.dll
c:\windows\regred.exe
c:\windows\run.log
c:\windows\securits.com
c:\windows\spoov.exe
c:\windows\system32\Data
c:\windows\usexplorer.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 05:00 . 2009-12-02 05:00 -------- d-----w- c:\program files\MSXML 4.0
2009-12-01 20:04 . 2009-12-01 19:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-01 19:07 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-01 19:00 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-01 19:00 . 2009-12-01 19:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-01 18:58 . 2009-12-01 19:13 117760 ----a-w- c:\documents and settings\Mr. B\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 18:47 . 2009-12-01 18:47 205 ----a-w- C:\~TaxUnin.bat
2009-12-01 04:57 . 2009-12-01 04:57 -------- d-----w- c:\documents and settings\Mr. B\Application Data\CheckPoint
2009-11-22 01:07 . 2009-11-22 01:07 -------- d-----w- c:\documents and settings\Mrs. S\Application Data\CheckPoint
2009-11-22 01:07 . 2009-11-22 01:07 -------- d-----w- c:\program files\CheckPoint
2009-11-22 01:07 . 2009-10-13 02:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-11-22 01:06 . 2009-10-17 09:39 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-22 01:06 . 2009-10-17 09:39 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-09 01:34 . 2009-11-09 01:34 -------- d-----w- c:\program files\iPod
2009-11-09 01:34 . 2009-11-09 01:35 -------- d-----w- c:\program files\iTunes
2009-11-09 01:27 . 2009-11-09 01:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-07 06:52 . 2009-11-07 06:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 05:24 . 2006-12-18 06:48 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-01 19:57 . 2007-08-19 00:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-01 19:21 . 2009-12-01 19:22 3508736 ----a-w- c:\windows\Internet Logs\xDB29F.tmp
2009-12-01 19:08 . 2009-12-01 19:09 941568 ----a-w- c:\windows\Internet Logs\xDB29E.tmp
2009-12-01 18:59 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-01 18:59 . 2006-10-08 04:53 -------- d-----w- c:\program files\Lavasoft
2009-12-01 18:57 . 2009-03-07 07:23 -------- d-----w- c:\documents and settings\Mr. B\Application Data\SUPERAntiSpyware.com
2009-12-01 18:47 . 2007-04-15 02:45 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-01 18:43 . 2007-09-15 00:37 -------- d-----w- c:\documents and settings\Mr. B\Application Data\uTorrent
2009-12-01 06:48 . 2009-12-01 14:49 2752000 ----a-w- c:\windows\Internet Logs\xDB29D.tmp
2009-11-30 05:41 . 2009-11-30 16:19 267264 ----a-w- c:\windows\Internet Logs\xDB29C.tmp
2009-11-24 06:50 . 2009-11-24 15:02 2747392 ----a-w- c:\windows\Internet Logs\xDB29B.tmp
2009-11-23 00:59 . 2009-11-23 01:00 2746368 ----a-w- c:\windows\Internet Logs\xDB29A.tmp
2009-11-22 21:57 . 2009-11-22 21:58 2745856 ----a-w- c:\windows\Internet Logs\xDB299.tmp
2009-11-22 21:57 . 2009-11-22 21:58 51712 ----a-w- c:\windows\Internet Logs\xDB298.tmp
2009-11-22 07:50 . 2009-11-22 17:01 98816 ----a-w- c:\windows\Internet Logs\xDB297.tmp
2009-11-21 06:55 . 2009-11-22 00:38 207872 ----a-w- c:\windows\Internet Logs\xDB296.tmp
2009-11-16 05:57 . 2009-11-16 21:03 132096 ----a-w- c:\windows\Internet Logs\xDB295.tmp
2009-11-13 06:26 . 2009-11-13 16:14 97280 ----a-w- c:\windows\Internet Logs\xDB294.tmp
2009-11-12 20:44 . 2005-08-16 09:37 15360 ----a-w- c:\windows\system32\logoff.exe
2009-11-11 05:42 . 2009-11-11 17:18 65536 ----a-w- c:\windows\Internet Logs\xDB293.tmp
2009-11-10 06:17 . 2009-11-10 15:46 269312 ----a-w- c:\windows\Internet Logs\xDB292.tmp
2009-11-09 01:34 . 2009-08-17 03:26 -------- d-----w- c:\program files\Common Files\Apple
2009-11-09 01:26 . 2009-08-17 03:30 -------- d-----w- c:\documents and settings\Mr. B\Application Data\Apple Computer
2009-11-07 07:47 . 2009-11-07 17:23 104960 ----a-w- c:\windows\Internet Logs\xDB28E.tmp
2009-10-22 05:07 . 2009-10-22 14:47 57344 ----a-w- c:\windows\Internet Logs\xDB28D.tmp
2009-10-21 05:25 . 2009-10-21 13:51 91648 ----a-w- c:\windows\Internet Logs\xDB28C.tmp
2009-10-19 03:38 . 2009-10-19 14:49 199168 ----a-w- c:\windows\Internet Logs\xDB28B.tmp
2009-10-17 09:39 . 2006-12-18 06:47 72584 ----a-w- c:\windows\zllsputility.exe
2009-10-17 09:39 . 2008-11-08 16:44 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-14 01:16 . 2009-10-14 01:17 81408 ----a-w- c:\windows\Internet Logs\xDB28A.tmp
2009-10-13 05:17 . 2009-10-13 15:12 222720 ----a-w- c:\windows\Internet Logs\xDB289.tmp
2009-10-10 09:13 . 2009-10-10 18:19 53760 ----a-w- c:\windows\Internet Logs\xDB288.tmp
2009-10-09 05:39 . 2009-10-09 14:47 52224 ----a-w- c:\windows\Internet Logs\xDB287.tmp
2009-10-08 05:34 . 2009-10-08 13:28 154624 ----a-w- c:\windows\Internet Logs\xDB286.tmp
2009-10-07 03:28 . 2009-10-07 14:09 88576 ----a-w- c:\windows\Internet Logs\xDB285.tmp
2009-10-05 05:37 . 2009-10-05 13:17 64000 ----a-w- c:\windows\Internet Logs\xDB284.tmp
2009-10-04 09:13 . 2009-10-04 16:31 269312 ----a-w- c:\windows\Internet Logs\xDB283.tmp
2009-09-29 04:33 . 2009-09-29 13:38 263168 ----a-w- c:\windows\Internet Logs\xDB282.tmp
2009-09-26 04:20 . 2009-09-26 14:11 2354688 ----a-w- c:\windows\Internet Logs\xDB281.tmp
2009-09-13 03:54 . 2009-09-13 11:19 407040 ----a-w- c:\windows\Internet Logs\xDB280.tmp
2009-09-11 14:18 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 07:06 . 2009-09-07 01:04 131584 ----a-w- c:\windows\Internet Logs\xDB27F.tmp
2009-09-04 21:03 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 18:53 . 2009-09-29 14:21 30912 ----a-w- c:\documents and settings\Mrs. S\Application Data\Mozilla\Firefox\Profiles\v8sncmg0.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-03 18:53 . 2009-09-29 14:21 22848 ----a-w- c:\documents and settings\Mrs. S\Application Data\Mozilla\Firefox\Profiles\v8sncmg0.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-03 18:53 . 2009-09-29 14:21 19792 ----a-w- c:\documents and settings\Mrs. S\Application Data\Mozilla\Firefox\Profiles\v8sncmg0.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2006-11-25 22:59 . 2006-09-14 03:46 88 --sh--r- c:\windows\system32\0DE7710C42.sys
2006-11-25 22:59 . 2006-09-14 03:46 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector "= "c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SetDefaultMIDI "= "MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"CTSysVol "= "c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2006-12-23 122940]
"EPSON Stylus CX4200 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"CTCheck "= "c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"UpdReg "= "c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MSKDetectorExe "= "c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"ISW "= "c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SigmatelSysTrayApp "= "stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"MBMon "= "CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\personalguard

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\drivers\\svchost.exe "=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)
"AllowInboundTimestampRequest "= 1 (0x1)
"AllowInboundMaskRequest "= 1 (0x1)
"AllowInboundRouterRequest "= 1 (0x1)
"AllowOutboundDestinationUnreachable "= 1 (0x1)
"AllowOutboundSourceQuench "= 1 (0x1)
"AllowOutboundParameterProblem "= 1 (0x1)
"AllowOutboundTimeExceeded "= 1 (0x1)
"AllowRedirect "= 1 (0x1)
"AllowOutboundPacketTooBig "= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/1/2009 11:07 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 5:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 5:30 AM 476528]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
FF - ProfilePath - c:\documents and settings\Mr. B\Application Data\Mozilla\Firefox\Profiles\uruunfbj.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SSODL-SysNet-{A306FCA7-D1CE-4A80-B97A-E5B1DE8B98FE} - (no file)
SafeBoot-aawservice
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-RNCompiler 6.0 - c:\program files\Adobe\Premiere 6.0\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
AddRemove-Sound Blaster Audigy ADVANCED MB Windows Drivers - c:\program files\Creative\SBAudigy\Program\CTZapxx.EXE ctsbmb.ini

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 22:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D9EEA93-DD59-68FD-2527E621161D0237}\{C35E9742-B8BD-06C7-FA5575747B82F58D}\{7D561727-4D3E-D313-4CFAAB3C00BB0207}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1 "=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(776)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2220)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\docume~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-01 22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-02 06:40
ComboFix2.txt 2009-03-15 02:28

Pre-Run: 41,565,081,600 bytes free
Post-Run: 42,100,465,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 6F4EABD189B677E81E8707CDF370726C

loogoldham · 2009/12/02

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:01 PM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200 "
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon= "hidden "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlassolutions.com/dl/AtlasCtrl.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8794 bytes

loogoldham · 2009/12/02

posted both logs, waiting for admin approval. Thanks again for your help!

broni · 2009/12/02

How is redirection issue right now?

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\0DE7710C42.sys


Folder::

Driver::

Registry::

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

loogoldham · 2009/12/02

Google is working again. Thanks!

Here is the Combofix log

ComboFix 09-12-01.01 - Mr. B 12/02/2009 15:34.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -8:00]
Running from: c:\documents and settings\Mr. B\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mr. B\Desktop\CFScript.txt
AV: ZoneAlarm Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\0DE7710C42.sys "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Mr. B\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\system32\0DE7710C42.sys

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 05:00 . 2009-12-02 05:00 -------- d-----w- c:\program files\MSXML 4.0
2009-12-01 20:04 . 2009-12-01 19:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-01 19:07 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-01 19:00 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-01 19:00 . 2009-12-01 19:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-01 18:58 . 2009-12-01 19:13 117760 ----a-w- c:\documents and settings\Mr. B\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 18:47 . 2009-12-01 18:47 205 ----a-w- C:\~TaxUnin.bat
2009-12-01 04:57 . 2009-12-01 04:57 -------- d-----w- c:\documents and settings\Mr. B\Application Data\CheckPoint
2009-11-22 01:07 . 2009-11-22 01:07 -------- d-----w- c:\documents and settings\Mrs. S\Application Data\CheckPoint
2009-11-22 01:07 . 2009-11-22 01:07 -------- d-----w- c:\program files\CheckPoint
2009-11-22 01:07 . 2009-10-13 02:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-11-22 01:06 . 2009-10-17 09:39 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-22 01:06 . 2009-10-17 09:39 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-09 01:34 . 2009-11-09 01:34 -------- d-----w- c:\program files\iPod
2009-11-09 01:34 . 2009-11-09 01:35 -------- d-----w- c:\program files\iTunes
2009-11-09 01:27 . 2009-11-09 01:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-07 06:52 . 2009-11-07 06:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 14:06 . 2006-12-18 06:48 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-02 06:44 . 2006-12-28 15:40 10846935 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-01 19:57 . 2007-08-19 00:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-01 19:21 . 2009-12-01 19:22 3508736 ----a-w- c:\windows\Internet Logs\xDB29F.tmp
2009-12-01 19:08 . 2009-12-01 19:09 941568 ----a-w- c:\windows\Internet Logs\xDB29E.tmp
2009-12-01 18:59 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-01 18:59 . 2006-10-08 04:53 -------- d-----w- c:\program files\Lavasoft
2009-12-01 18:57 . 2009-03-07 07:23 -------- d-----w- c:\documents and settings\Mr. B\Application Data\SUPERAntiSpyware.com
2009-12-01 18:47 . 2007-04-15 02:45 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-01 18:43 . 2007-09-15 00:37 -------- d-----w- c:\documents and settings\Mr. B\Application Data\uTorrent
2009-12-01 06:48 . 2009-12-01 14:49 2752000 ----a-w- c:\windows\Internet Logs\xDB29D.tmp
2009-11-30 05:41 . 2009-11-30 16:19 267264 ----a-w- c:\windows\Internet Logs\xDB29C.tmp
2009-11-24 06:50 . 2009-11-24 15:02 2747392 ----a-w- c:\windows\Internet Logs\xDB29B.tmp
2009-11-23 00:59 . 2009-11-23 01:00 2746368 ----a-w- c:\windows\Internet Logs\xDB29A.tmp
2009-11-22 21:57 . 2009-11-22 21:58 2745856 ----a-w- c:\windows\Internet Logs\xDB299.tmp
2009-11-22 21:57 . 2009-11-22 21:58 51712 ----a-w- c:\windows\Internet Logs\xDB298.tmp
2009-11-22 07:50 . 2009-11-22 17:01 98816 ----a-w- c:\windows\Internet Logs\xDB297.tmp
2009-11-21 06:55 . 2009-11-22 00:38 207872 ----a-w- c:\windows\Internet Logs\xDB296.tmp
2009-11-16 05:57 . 2009-11-16 21:03 132096 ----a-w- c:\windows\Internet Logs\xDB295.tmp
2009-11-13 06:26 . 2009-11-13 16:14 97280 ----a-w- c:\windows\Internet Logs\xDB294.tmp
2009-11-12 20:44 . 2005-08-16 09:37 15360 ----a-w- c:\windows\system32\logoff.exe
2009-11-11 05:42 . 2009-11-11 17:18 65536 ----a-w- c:\windows\Internet Logs\xDB293.tmp
2009-11-10 06:17 . 2009-11-10 15:46 269312 ----a-w- c:\windows\Internet Logs\xDB292.tmp
2009-11-09 01:34 . 2009-08-17 03:26 -------- d-----w- c:\program files\Common Files\Apple
2009-11-09 01:26 . 2009-08-17 03:30 -------- d-----w- c:\documents and settings\Mr. B\Application Data\Apple Computer
2009-11-07 07:47 . 2009-11-07 17:23 104960 ----a-w- c:\windows\Internet Logs\xDB28E.tmp
2009-10-22 05:07 . 2009-10-22 14:47 57344 ----a-w- c:\windows\Internet Logs\xDB28D.tmp
2009-10-21 05:25 . 2009-10-21 13:51 91648 ----a-w- c:\windows\Internet Logs\xDB28C.tmp
2009-10-19 03:38 . 2009-10-19 14:49 199168 ----a-w- c:\windows\Internet Logs\xDB28B.tmp
2009-10-17 09:39 . 2006-12-18 06:47 72584 ----a-w- c:\windows\zllsputility.exe
2009-10-17 09:39 . 2008-11-08 16:44 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-14 01:16 . 2009-10-14 01:17 81408 ----a-w- c:\windows\Internet Logs\xDB28A.tmp
2009-10-13 05:17 . 2009-10-13 15:12 222720 ----a-w- c:\windows\Internet Logs\xDB289.tmp
2009-10-10 09:13 . 2009-10-10 18:19 53760 ----a-w- c:\windows\Internet Logs\xDB288.tmp
2009-10-09 05:39 . 2009-10-09 14:47 52224 ----a-w- c:\windows\Internet Logs\xDB287.tmp
2009-10-08 05:34 . 2009-10-08 13:28 154624 ----a-w- c:\windows\Internet Logs\xDB286.tmp
2009-10-07 03:28 . 2009-10-07 14:09 88576 ----a-w- c:\windows\Internet Logs\xDB285.tmp
2009-10-05 05:37 . 2009-10-05 13:17 64000 ----a-w- c:\windows\Internet Logs\xDB284.tmp
2009-10-04 09:13 . 2009-10-04 16:31 269312 ----a-w- c:\windows\Internet Logs\xDB283.tmp
2009-09-29 04:33 . 2009-09-29 13:38 263168 ----a-w- c:\windows\Internet Logs\xDB282.tmp
2009-09-26 04:20 . 2009-09-26 14:11 2354688 ----a-w- c:\windows\Internet Logs\xDB281.tmp
2009-09-13 03:54 . 2009-09-13 11:19 407040 ----a-w- c:\windows\Internet Logs\xDB280.tmp
2009-09-11 14:18 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 07:06 . 2009-09-07 01:04 131584 ----a-w- c:\windows\Internet Logs\xDB27F.tmp
2009-09-04 21:03 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2006-11-25 22:59 . 2006-09-14 03:46 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-12-02_06.29.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-02 23:56 . 2009-12-02 23:56 16384 c:\windows\Temp\Perflib_Perfdata_548.dat
+ 2009-03-17 12:50 . 2009-12-02 16:55 51712 c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-12-02 23:18 . 2009-12-02 23:18 67301 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0008.dat
+ 2009-12-02 23:18 . 2009-12-02 23:18 32205 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0003.dat
+ 2009-12-02 23:18 . 2009-12-02 23:18 45237 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0002.dat
+ 2009-10-22 15:33 . 2009-12-02 23:18 72988 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2009-09-29 14:37 . 2009-12-02 14:07 79691 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0004.dat
+ 2009-09-29 14:37 . 2009-12-02 14:07 68772 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0003.dat
- 2009-09-29 14:37 . 2009-12-02 04:13 68772 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0003.dat
+ 2009-09-29 14:37 . 2009-12-02 14:07 90122 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0002.dat
- 2009-09-29 14:37 . 2009-12-02 04:13 90122 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0002.dat
+ 2009-09-29 14:37 . 2009-12-02 14:07 90107 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0001.dat
+ 2009-09-29 14:36 . 2009-12-02 23:18 33396 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0003.dat
+ 2009-09-29 14:36 . 2009-12-02 23:18 45219 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0002.dat
+ 2009-09-29 14:36 . 2009-12-02 14:37 42019 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0001.dat
+ 2009-10-22 15:33 . 2009-12-02 23:18 72988 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2009-09-29 14:11 . 2009-12-02 14:07 79691 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0004.dat
- 2009-09-29 14:11 . 2009-12-02 04:13 68772 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0003.dat
+ 2009-09-29 14:11 . 2009-12-02 14:07 68772 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0003.dat
- 2009-09-29 14:11 . 2009-12-02 04:13 90122 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0002.dat
+ 2009-09-29 14:11 . 2009-12-02 14:07 90122 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0002.dat
+ 2009-09-29 14:11 . 2009-12-02 14:07 90107 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0001.dat
+ 2009-09-29 14:11 . 2009-12-02 23:18 33396 c:\windows\system32\ZoneLabs\avsys\bases\apu0003.dat
+ 2009-09-29 14:11 . 2009-12-02 23:18 45219 c:\windows\system32\ZoneLabs\avsys\bases\apu0002.dat
+ 2009-09-29 14:11 . 2009-12-02 14:37 42019 c:\windows\system32\ZoneLabs\avsys\bases\apu0001.dat
+ 2009-12-02 06:42 . 2009-12-02 23:53 5522 c:\windows\Temp\sdk8\Report\g_objid.dat
+ 2009-12-02 06:42 . 2009-12-02 23:53 7876 c:\windows\Temp\sdk8\Report\g_objdt.dat
+ 2009-12-02 06:42 . 2009-12-02 23:47 3856 c:\windows\Temp\sdk8\Report\g_objbt.dat
+ 2009-12-02 06:42 . 2009-12-02 23:19 393216 c:\windows\Temp\sfdb.dat
+ 2009-12-02 06:42 . 2009-12-02 06:42 262144 c:\windows\Temp\iswift.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector "= "c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SetDefaultMIDI "= "MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"CTSysVol "= "c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2006-12-23 122940]
"EPSON Stylus CX4200 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"CTCheck "= "c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"UpdReg "= "c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MSKDetectorExe "= "c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"ISW "= "c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SigmatelSysTrayApp "= "stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"MBMon "= "CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\drivers\\svchost.exe "=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)
"AllowInboundTimestampRequest "= 1 (0x1)
"AllowInboundMaskRequest "= 1 (0x1)
"AllowInboundRouterRequest "= 1 (0x1)
"AllowOutboundDestinationUnreachable "= 1 (0x1)
"AllowOutboundSourceQuench "= 1 (0x1)
"AllowOutboundParameterProblem "= 1 (0x1)
"AllowOutboundTimeExceeded "= 1 (0x1)
"AllowRedirect "= 1 (0x1)
"AllowOutboundPacketTooBig "= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/1/2009 11:07 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 5:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 5:30 AM 476528]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
FF - ProfilePath - c:\documents and settings\Mr. B\Application Data\Mozilla\Firefox\Profiles\uruunfbj.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 15:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D9EEA93-DD59-68FD-2527E621161D0237}\{C35E9742-B8BD-06C7-FA5575747B82F58D}\{7D561727-4D3E-D313-4CFAAB3C00BB0207}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1 "=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(772)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(3912)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-02 16:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 00:05
ComboFix2.txt 2009-12-02 06:40
ComboFix3.txt 2009-03-15 02:28

Pre-Run: 41,979,387,904 bytes free
Post-Run: 41,922,252,800 bytes free

- - End Of File - - 6368AE4A1852249BC9170D4752DF0615

loogoldham · 2009/12/02

And here is the Highjack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:05 PM, on 12/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUME~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200 "
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon= "hidden "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlassolutions.com/dl/AtlasCtrl.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8884 bytes

broni · 2009/12/02

Very good

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

loogoldham · 2009/12/03

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2009 at 10:50 PM

Application Version : 4.31.1000

Core Rules Database Version : 4330
Trace Rules Database Version: 2185

Scan type : Complete Scan
Total Scan Time : 02:08:15

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 6276
Registry threats detected : 0
File items scanned : 77894
File threats detected : 0

loogoldham · 2009/12/03

Malwarebytes' Anti-Malware 1.41
Database version: 3284
Windows 5.1.2600 Service Pack 3

12/3/2009 4:02:16 AM
mbam-log-2009-12-03 (04-02-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206983
Time elapsed: 1 hour(s), 0 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

loogoldham · 2009/12/03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:53 AM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200 "
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon= "hidden "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlassolutions.com/dl/AtlasCtrl.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8968 bytes

loogoldham · 2009/12/03

Hi: Thanks again for your help. I'm away through Sunday, will respond then.

broni · 2009/12/03

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

===========================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
- R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
- O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
- O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
- O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
- O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
- O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
- O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200 "
- O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
- O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
- O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

loogoldham · 2009/12/12

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:29 PM, on 12/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\DOCUME~1\MRC6CE~1.B\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\eHome\ehmsas.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon= "hidden "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: SDK Tray Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlassolutions.com/dl/AtlasCtrl.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7676 bytes

Log in or Sign up

Active Bad Google Redirect, startup window "cannot find logon.exe"

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

Share This Page

Log in or Sign up

Active Bad Google Redirect, startup window "cannot find logon.exe"

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

loogoldham Inactive Thread Starter

broni Moderator Malware Analyst

loogoldham Inactive Thread Starter

Share This Page

Useful Searches