Solved computer taken over by by virus

RickyD2 · 2010/07/09

[Resolved] computer taken over by by virus

I was just browsing around this afternoon when suddenly I realized that my pc was being taken over by viruses, I dont know from who, I dont know when. I started getting a flag identified as being from "AV Security Suite, then a flag, identified as being from Link Scanner" asking if I wantd the firus removedx and finally another flad identified as being from "Antivirmode.net "
telling me the virus had been removed. Along with all this I also realiozed thaty I was being blocked from using Outlook Express, Internet Explorer, Zone Alarm, AVG anti virus, Fix Cleaner and one other program I wanted to access. Consequently I am now running solely in Safe Mode and it is the only thing that works.

I ran Spyware Doctor and determined there were 31 different "bugs" in my machine and then ran HiJack This and a copy of that scan is as follows - -

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:38:11 PM, on 7/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L9AHZ9RM\HijackThis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon= "hidden "
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [fjukfjbl] C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\gmrnrjqoc\dctnkhitssd.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FixCleaner] C:\Program Files\FixCleaner\FixCleaner.exe -boot
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8184 bytes

I would be very grateful if one of you folks much much more expert than I running over this scan and fix what needs fixing and tell me where to go from here.

Thanks.

broni · 2010/07/09

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

=============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

RickyD2 · 2010/07/10

Broni, I haven't responded because of several problems, biggest of which was that my computer would not open any web page. With Microsoft's help, this has finally been resolved. I've some other housekeeping to do and I will get back to you soon.
Thanks

broni · 2010/07/10

Ok

RickyD2 · 2010/07/12

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Richard Doenges on 07/12/2010 at 20:35:11.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\exeHelper.com
C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\rkill.exe

Rkill completed on 07/12/2010 at 20:35:14.

exeHelper by Raktor
Build 20100414
Run at 20:33:36 on 07/12/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

RickyD2 · 2010/07/12

ComboFix 10-07-12.02 - Richard Doenges 07/12/2010 20:41:48.8.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.222 [GMT -5:00]
Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\~t331.tmp
c:\windows\Downloaded Program Files\ODCTOOLS\~t332.tmp

.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-11 20:20 . 2010-07-11 20:20 -------- d-----w- c:\program files\Uniblue
2010-07-11 00:18 . 2010-07-11 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-11 00:17 . 2010-04-28 12:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-07-11 00:17 . 2010-07-11 00:17 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-11 00:16 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-07-11 00:15 . 2010-07-11 00:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-11 00:14 . 2010-07-11 00:15 -------- d-----w- c:\program files\Microsoft
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live
2010-07-11 00:04 . 2010-07-11 00:05 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-10 21:29 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-10 21:29 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-10 21:29 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-10 21:29 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-10 21:28 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-10 21:28 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-10 21:28 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-10 21:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-10 21:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\program files\Alwil Software
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-10 03:58 . 2010-07-10 03:58 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Threat Expert
2010-07-10 03:39 . 2010-07-10 03:39 -------- d-----w- C:\FOUND.001
2010-07-10 01:08 . 2010-07-10 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-07-09 20:08 . 2010-07-09 20:08 -------- d-----w- c:\program files\Spyware Doctor
2010-07-09 19:47 . 2010-07-09 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixCleaner
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-----w- C:\0ff30b331f6ef8766e8e82859b84f973
2010-07-09 18:29 . 2010-07-09 18:29 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\gmrnrjqoc
2010-07-09 17:10 . 2010-07-09 17:10 -------- d-----w- C:\FOUND.000
2010-06-16 05:12 . 2010-06-16 05:12 -------- d-----w- c:\program files\IE New Window Maximizer
2010-06-14 20:50 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 00:14 . 2006-01-15 21:37 19760 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-10 20:52 . 2006-01-15 19:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-24 21:02 . 2010-05-24 21:02 -------- d-----w- c:\program files\SIW
2010-05-24 20:09 . 2010-05-24 20:09 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcp71.dll
2010-05-24 20:09 . 2010-05-24 20:09 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\jmc.dll
2010-05-24 20:09 . 2010-05-24 20:09 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcr71.dll
2010-05-24 20:09 . 2010-05-24 20:09 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-sse.dll
2010-05-24 20:09 . 2010-05-24 20:09 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-d3d.dll
2010-05-19 21:28 . 2010-05-19 21:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DYMO
2010-05-19 04:06 . 2010-05-19 04:05 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcp71.dll
2010-05-19 04:06 . 2010-05-19 04:05 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\jmc.dll
2010-05-19 04:06 . 2010-05-19 04:05 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcr71.dll
2010-05-19 04:06 . 2010-05-19 04:05 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-sse.dll
2010-05-19 04:06 . 2010-05-19 04:05 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-d3d.dll
2010-05-17 17:16 . 2010-05-17 17:16 -------- d-----w- c:\program files\CheckPoint
2010-05-17 13:50 . 2010-05-17 13:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2010-05-16 18:23 . 2010-05-16 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 20:36 . 2010-05-14 20:36 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\ElevatedDiagnostics
2010-05-14 17:13 . 2010-05-14 17:13 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-14 15:48 . 2010-05-14 15:48 -------- d-----w- c:\program files\CCleaner
2010-05-06 15:36 . 2009-10-02 22:01 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-03-31 17:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 00:14 . 2010-04-24 00:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-20 05:30 . 2003-03-31 17:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 05:04 . 2010-04-17 05:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-1-6 18480224]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2010 4:29 PM 165456]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/23/2010 7:14 PM 95024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/10/2010 4:29 PM 17744]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/28/2009 11:29 AM 90352]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 xlgjzamo;xlgjzamo; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-12 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 20:47
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-07-12 20:49:57
ComboFix-quarantined-files.txt 2010-07-13 01:49
ComboFix2.txt 2010-05-16 16:46

Pre-Run: 15,939,272,704 bytes free
Post-Run: 16,666,099,712 bytes free

- - End Of File - - 7034AF4DB4720CE17E33E23F877CBCF2

Permit me to add, please, Broni, because it seemed I had lost signal from my ISP (Time Warner Cable - Road Runner) I called them for help and found signal intact, but on their advice I uninstalled both Zone Alarm and AVG and installed in their place Avast and Windows Live Essentiasls and that is where my machine stands at this point.

broni · 2010/07/12

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\zllictbl.dat


Folder::
c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\gmrnrjqoc

SecCenter::
{829BDA32-94B3-44F4-8446-F8FCFF809F8B}


Driver::
xlgjzamo

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=-

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

RickyD2 · 2010/07/13

Here is most recent combofix log -

ComboFix 10-07-12.06 - Richard Doenges 07/13/2010 10:38:33.9.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.184 [GMT -5:00]
Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-11 20:20 . 2010-07-11 20:20 -------- d-----w- c:\program files\Uniblue
2010-07-11 00:18 . 2010-07-11 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-11 00:17 . 2010-04-28 12:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-07-11 00:17 . 2010-07-11 00:17 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-11 00:16 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-07-11 00:15 . 2010-07-11 00:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-11 00:14 . 2010-07-11 00:15 -------- d-----w- c:\program files\Microsoft
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live
2010-07-11 00:04 . 2010-07-11 00:05 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-10 21:29 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-10 21:29 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-10 21:29 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-10 21:29 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-10 21:28 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-10 21:28 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-10 21:28 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-10 21:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-10 21:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\program files\Alwil Software
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-10 03:58 . 2010-07-10 03:58 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Threat Expert
2010-07-10 03:39 . 2010-07-10 03:39 -------- d-----w- C:\FOUND.001
2010-07-10 01:08 . 2010-07-10 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-07-09 20:08 . 2010-07-09 20:08 -------- d-----w- c:\program files\Spyware Doctor
2010-07-09 19:47 . 2010-07-09 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixCleaner
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-----w- C:\0ff30b331f6ef8766e8e82859b84f973
2010-07-09 18:29 . 2010-07-09 18:29 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\gmrnrjqoc
2010-07-09 17:10 . 2010-07-09 17:10 -------- d-----w- C:\FOUND.000
2010-06-16 05:12 . 2010-06-16 05:12 -------- d-----w- c:\program files\IE New Window Maximizer
2010-06-14 20:50 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 00:14 . 2006-01-15 21:37 19760 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-10 20:52 . 2006-01-15 19:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-24 21:02 . 2010-05-24 21:02 -------- d-----w- c:\program files\SIW
2010-05-24 20:09 . 2010-05-24 20:09 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcp71.dll
2010-05-24 20:09 . 2010-05-24 20:09 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\jmc.dll
2010-05-24 20:09 . 2010-05-24 20:09 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcr71.dll
2010-05-24 20:09 . 2010-05-24 20:09 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-sse.dll
2010-05-24 20:09 . 2010-05-24 20:09 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-d3d.dll
2010-05-19 21:28 . 2010-05-19 21:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DYMO
2010-05-19 04:06 . 2010-05-19 04:05 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcp71.dll
2010-05-19 04:06 . 2010-05-19 04:05 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\jmc.dll
2010-05-19 04:06 . 2010-05-19 04:05 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcr71.dll
2010-05-19 04:06 . 2010-05-19 04:05 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-sse.dll
2010-05-19 04:06 . 2010-05-19 04:05 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-d3d.dll
2010-05-17 17:16 . 2010-05-17 17:16 -------- d-----w- c:\program files\CheckPoint
2010-05-17 13:50 . 2010-05-17 13:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2010-05-16 18:23 . 2010-05-16 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 20:36 . 2010-05-14 20:36 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\ElevatedDiagnostics
2010-05-14 17:13 . 2010-05-14 17:13 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-14 15:48 . 2010-05-14 15:48 -------- d-----w- c:\program files\CCleaner
2010-05-06 15:36 . 2009-10-02 22:01 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-03-31 17:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 00:14 . 2010-04-24 00:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-20 05:30 . 2003-03-31 17:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 05:04 . 2010-04-17 05:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-1-6 18480224]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2010 4:29 PM 165456]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/23/2010 7:14 PM 95024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/10/2010 4:29 PM 17744]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/28/2009 11:29 AM 90352]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 xlgjzamo;xlgjzamo; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-13 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-13 10:46
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-13 10:49:17

broni · 2010/07/13

Something went wrong, because my script didn't remove anything.
Please, retry.

RickyD2 · 2010/07/14

As I did the first time I ran this, I am getting the response "Are you trying to run CFScript? The name, CFScript appears to be incorrectly spelt "

Last time I just closed the dialog box and continued on but obviously that did not work. How can CFScript be spelled any other way?

Now what?

broni · 2010/07/14

Delete your Combofix file, download fresh one and try again.
In the future, if you encounter some issue, you have to let me know.

RickyD2 · 2010/07/14

Here is the new combofix log -

ComboFix 10-07-14.01 - Richard Doenges 07/14/2010 22:58:00.10.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.195 [GMT -5:00]
Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-11 20:20 . 2010-07-11 20:20 -------- d-----w- c:\program files\Uniblue
2010-07-11 00:18 . 2010-07-11 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-11 00:17 . 2010-04-28 12:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-07-11 00:17 . 2010-07-11 00:17 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-11 00:16 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-07-11 00:15 . 2010-07-11 00:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-11 00:14 . 2010-07-11 00:15 -------- d-----w- c:\program files\Microsoft
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live
2010-07-11 00:04 . 2010-07-11 00:05 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-10 21:29 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-10 21:29 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-10 21:29 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-10 21:29 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-10 21:28 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-10 21:28 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-10 21:28 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-10 21:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-10 21:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\program files\Alwil Software
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-10 03:58 . 2010-07-10 03:58 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Threat Expert
2010-07-10 03:39 . 2010-07-10 03:39 -------- d-----w- C:\FOUND.001
2010-07-10 01:08 . 2010-07-10 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-07-09 20:08 . 2010-07-09 20:08 -------- d-----w- c:\program files\Spyware Doctor
2010-07-09 19:47 . 2010-07-09 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixCleaner
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-----w- C:\0ff30b331f6ef8766e8e82859b84f973
2010-07-09 18:29 . 2010-07-09 18:29 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\gmrnrjqoc
2010-07-09 17:10 . 2010-07-09 17:10 -------- d-----w- C:\FOUND.000
2010-06-16 05:12 . 2010-06-16 05:12 -------- d-----w- c:\program files\IE New Window Maximizer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 00:14 . 2006-01-15 21:37 19760 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-10 20:52 . 2006-01-15 19:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-06-14 14:31 . 2007-11-24 19:58 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
2010-05-24 21:02 . 2010-05-24 21:02 -------- d-----w- c:\program files\SIW
2010-05-24 20:09 . 2010-05-24 20:09 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcp71.dll
2010-05-24 20:09 . 2010-05-24 20:09 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\jmc.dll
2010-05-24 20:09 . 2010-05-24 20:09 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcr71.dll
2010-05-24 20:09 . 2010-05-24 20:09 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-sse.dll
2010-05-24 20:09 . 2010-05-24 20:09 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-d3d.dll
2010-05-19 21:28 . 2010-05-19 21:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DYMO
2010-05-19 04:06 . 2010-05-19 04:05 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcp71.dll
2010-05-19 04:06 . 2010-05-19 04:05 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\jmc.dll
2010-05-19 04:06 . 2010-05-19 04:05 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcr71.dll
2010-05-19 04:06 . 2010-05-19 04:05 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-sse.dll
2010-05-19 04:06 . 2010-05-19 04:05 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-d3d.dll
2010-05-17 17:16 . 2010-05-17 17:16 -------- d-----w- c:\program files\CheckPoint
2010-05-17 13:50 . 2010-05-17 13:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2010-05-16 18:23 . 2010-05-16 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 15:36 . 2009-10-02 22:01 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-03-31 17:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 00:14 . 2010-04-24 00:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-20 05:30 . 2003-03-31 17:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 05:04 . 2010-04-17 05:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((( SnapShot@2010-07-13_01.47.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-15 03:53 . 2010-07-15 03:53 16384 c:\windows\Temp\Perflib_Perfdata_294.dat
+ 2010-07-14 21:37 . 2010-07-14 21:37 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-07-12 21:10 . 2010-07-12 21:10 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\74581c81a6103e9b52a29297c932b8f8\System.Windows.Presentation.ni.dll
+ 2010-07-14 22:12 . 2010-07-14 22:12 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\74581c81a6103e9b52a29297c932b8f8\System.Windows.Presentation.ni.dll
+ 2007-11-24 19:58 . 2010-06-14 14:31 744448 c:\windows\system32\dllcache\helpsvc.exe
- 2007-11-24 19:58 . 2008-04-14 10:42 744448 c:\windows\system32\dllcache\helpsvc.exe
- 2010-07-12 21:07 . 2010-07-12 21:07 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\1d0e95615ff5f717ea2a1d51b0159ee5\WindowsFormsIntegration.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:57 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\1d0e95615ff5f717ea2a1d51b0159ee5\WindowsFormsIntegration.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f5284d51729f47804d1b3c57f412b42e\PresentationFramework.Luna.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f5284d51729f47804d1b3c57f412b42e\PresentationFramework.Luna.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e73ac6d2129a7d8bedcf95434313b9bd\PresentationFramework.Classic.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e73ac6d2129a7d8bedcf95434313b9bd\PresentationFramework.Classic.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e1f8801a986cc1681428145bd9030f10\PresentationFramework.Royale.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e1f8801a986cc1681428145bd9030f10\PresentationFramework.Royale.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\43d7a9a529f269171a1337adfc2cc691\PresentationFramework.Aero.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\43d7a9a529f269171a1337adfc2cc691\PresentationFramework.Aero.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 1036288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\51bab056dd2752e1b24ae61a6d19bbe7\System.Printing.ni.dll
- 2010-07-12 21:06 . 2010-07-12 21:06 1036288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\51bab056dd2752e1b24ae61a6d19bbe7\System.Printing.ni.dll
- 2010-07-12 21:06 . 2010-07-12 21:06 2129920 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\b2a7b070e1db61595813a9a463374c31\ReachFramework.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 2129920 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\b2a7b070e1db61595813a9a463374c31\ReachFramework.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 1658368 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a89720335f8170a3adec2d70b4665aed\PresentationUI.ni.dll
- 2010-07-12 21:06 . 2010-07-12 21:06 1658368 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a89720335f8170a3adec2d70b4665aed\PresentationUI.ni.dll
+ 2006-01-15 21:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
+ 2010-07-14 21:36 . 2010-07-14 21:36 20242432 c:\windows\Installer\6884632.msp
- 2010-07-12 21:05 . 2010-07-12 21:05 14451712 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\451953f73bc26b08c28c2719927bf878\PresentationFramework.ni.dll
+ 2010-07-14 21:56 . 2010-07-14 21:56 14451712 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\451953f73bc26b08c28c2719927bf878\PresentationFramework.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-1-6 18480224]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2010 4:29 PM 165456]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/23/2010 7:14 PM 95024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/10/2010 4:29 PM 17744]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/28/2009 11:29 AM 90352]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 xlgjzamo;xlgjzamo; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-15 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 23:04
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3428)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-07-14 23:07:21
ComboFix-quarantined-files.txt 2010-07-15 04:07
ComboFix2.txt 2010-07-13 15:49
ComboFix3.txt 2010-07-13 01:49
ComboFix4.txt 2010-05-16 16:46

Pre-Run: 15,229,288,448 bytes free
Post-Run: 15,416,459,264 bytes free

- - End Of File - - 30098EA368155A24F9E5ECE24271602F

--------------------------------------------------------------

Now what?

broni · 2010/07/14

It doesn't look like you actually run my script. Still nothing removed.

RickyD2 · 2010/07/15

Firstly, I have no clue as to what you mean stating that I have not axctually run your program.
Here is the most recent, from a fresh, I repeat, fresh download of ComboFix
Check the time stamp, If I did not do whatever it is you want me to do, where did I get this report??????????? Check the time stamp
ComboFix 10-07-15.01 - Richard Doenges 07/15/2010 13:01:22.13.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.181 [GMT -5:00]
Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-11 20:20 . 2010-07-11 20:20 -------- d-----w- c:\program files\Uniblue
2010-07-11 00:18 . 2010-07-11 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-11 00:17 . 2010-04-28 12:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-07-11 00:17 . 2010-07-11 00:17 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-11 00:16 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-07-11 00:15 . 2010-07-11 00:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-11 00:14 . 2010-07-11 00:15 -------- d-----w- c:\program files\Microsoft
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live
2010-07-11 00:04 . 2010-07-11 00:05 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-10 21:29 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-10 21:29 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-10 21:29 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-10 21:29 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-10 21:28 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-10 21:28 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-10 21:28 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-10 21:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-10 21:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\program files\Alwil Software
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-10 03:58 . 2010-07-10 03:58 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Threat Expert
2010-07-10 03:39 . 2010-07-10 03:39 -------- d-----w- C:\FOUND.001
2010-07-10 01:08 . 2010-07-10 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-07-09 20:08 . 2010-07-09 20:08 -------- d-----w- c:\program files\Spyware Doctor
2010-07-09 19:47 . 2010-07-09 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixCleaner
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-09 19:18 . 2010-07-09 19:18 -------- d-----w- C:\0ff30b331f6ef8766e8e82859b84f973
2010-07-09 18:29 . 2010-07-09 18:29 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\gmrnrjqoc
2010-07-09 17:10 . 2010-07-09 17:10 -------- d-----w- C:\FOUND.000
2010-06-16 05:12 . 2010-06-16 05:12 -------- d-----w- c:\program files\IE New Window Maximizer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 00:14 . 2006-01-15 21:37 19760 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-10 20:52 . 2006-01-15 19:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-06-14 14:31 . 2007-11-24 19:58 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
2010-05-24 21:02 . 2010-05-24 21:02 -------- d-----w- c:\program files\SIW
2010-05-24 20:09 . 2010-05-24 20:09 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcp71.dll
2010-05-24 20:09 . 2010-05-24 20:09 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\jmc.dll
2010-05-24 20:09 . 2010-05-24 20:09 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1796ea67-n\msvcr71.dll
2010-05-24 20:09 . 2010-05-24 20:09 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-sse.dll
2010-05-24 20:09 . 2010-05-24 20:09 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c814f4b-n\decora-d3d.dll
2010-05-19 21:28 . 2010-05-19 21:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DYMO
2010-05-19 04:06 . 2010-05-19 04:05 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcp71.dll
2010-05-19 04:06 . 2010-05-19 04:05 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\jmc.dll
2010-05-19 04:06 . 2010-05-19 04:05 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4182a751-n\msvcr71.dll
2010-05-19 04:06 . 2010-05-19 04:05 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-sse.dll
2010-05-19 04:06 . 2010-05-19 04:05 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76d3077b-n\decora-d3d.dll
2010-05-17 17:16 . 2010-05-17 17:16 -------- d-----w- c:\program files\CheckPoint
2010-05-17 13:50 . 2010-05-17 13:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2010-05-16 18:23 . 2010-05-16 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 15:36 . 2009-10-02 22:01 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-03-31 17:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 00:14 . 2010-04-24 00:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-20 05:30 . 2003-03-31 17:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 05:04 . 2010-04-17 05:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((( SnapShot@2010-07-13_01.47.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-15 17:41 . 2010-07-15 17:41 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
+ 2010-07-14 21:37 . 2010-07-14 21:37 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-07-12 21:10 . 2010-07-12 21:10 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\74581c81a6103e9b52a29297c932b8f8\System.Windows.Presentation.ni.dll
+ 2010-07-14 22:12 . 2010-07-14 22:12 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\74581c81a6103e9b52a29297c932b8f8\System.Windows.Presentation.ni.dll
+ 2007-11-24 19:58 . 2010-06-14 14:31 744448 c:\windows\system32\dllcache\helpsvc.exe
- 2007-11-24 19:58 . 2008-04-14 10:42 744448 c:\windows\system32\dllcache\helpsvc.exe
- 2010-07-12 21:07 . 2010-07-12 21:07 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\1d0e95615ff5f717ea2a1d51b0159ee5\WindowsFormsIntegration.ni.dll
+ 2010-07-15 16:48 . 2010-07-15 16:48 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\1d0e95615ff5f717ea2a1d51b0159ee5\WindowsFormsIntegration.ni.dll
+ 2010-07-15 16:46 . 2010-07-15 16:46 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f5284d51729f47804d1b3c57f412b42e\PresentationFramework.Luna.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f5284d51729f47804d1b3c57f412b42e\PresentationFramework.Luna.ni.dll
+ 2010-07-15 16:46 . 2010-07-15 16:46 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e73ac6d2129a7d8bedcf95434313b9bd\PresentationFramework.Classic.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e73ac6d2129a7d8bedcf95434313b9bd\PresentationFramework.Classic.ni.dll
+ 2010-07-15 16:46 . 2010-07-15 16:46 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e1f8801a986cc1681428145bd9030f10\PresentationFramework.Royale.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e1f8801a986cc1681428145bd9030f10\PresentationFramework.Royale.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\43d7a9a529f269171a1337adfc2cc691\PresentationFramework.Aero.ni.dll
+ 2010-07-15 16:46 . 2010-07-15 16:46 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\43d7a9a529f269171a1337adfc2cc691\PresentationFramework.Aero.ni.dll
+ 2010-07-15 16:48 . 2010-07-15 16:48 1036288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\51bab056dd2752e1b24ae61a6d19bbe7\System.Printing.ni.dll
- 2010-07-12 21:06 . 2010-07-12 21:06 1036288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\51bab056dd2752e1b24ae61a6d19bbe7\System.Printing.ni.dll
+ 2010-07-15 16:47 . 2010-07-15 16:47 2129920 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\b2a7b070e1db61595813a9a463374c31\ReachFramework.ni.dll
- 2010-07-12 21:06 . 2010-07-12 21:06 2129920 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\b2a7b070e1db61595813a9a463374c31\ReachFramework.ni.dll
+ 2010-07-15 16:47 . 2010-07-15 16:47 1658368 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a89720335f8170a3adec2d70b4665aed\PresentationUI.ni.dll
- 2010-07-12 21:06 . 2010-07-12 21:06 1658368 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a89720335f8170a3adec2d70b4665aed\PresentationUI.ni.dll
+ 2006-01-15 21:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
+ 2010-07-14 21:36 . 2010-07-14 21:36 20242432 c:\windows\Installer\6884632.msp
+ 2010-07-15 16:44 . 2010-07-15 16:44 14451712 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\451953f73bc26b08c28c2719927bf878\PresentationFramework.ni.dll
- 2010-07-12 21:05 . 2010-07-12 21:05 14451712 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\451953f73bc26b08c28c2719927bf878\PresentationFramework.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-1-6 18480224]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2010 4:29 PM 165456]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/23/2010 7:14 PM 95024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/10/2010 4:29 PM 17744]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/28/2009 11:29 AM 90352]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 xlgjzamo;xlgjzamo; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-15 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 13:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3452)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-15 13:11:26
ComboFix-quarantined-files.txt 2010-07-15 18:11

Pre-Run: 15,350,431,744 bytes free
Post-Run: 15,342,895,104 bytes free

- - End Of File - - 10818E16263AEFE250C2A230531C7F4C

broni · 2010/07/15

I'm not saying, you didn't run Combofix.
I said, you didn't run my script from reply #7.

RickyD2 · 2010/07/15

This is reply #10 and explains, pretty clearly. I thought, why #7 wasn't done and you never gave an answer to a question in #10, and still have not answered the question.

I will run that program AGAIN for you though.

RickyD2 · 2010/07/15

I tried to run the program you are so concerned about and got the same answer as the last 2-3 times =

As I did the first time I ran this, I am getting the response "Are you trying to run CFScript? The name, CFScript appears to be incorrectly spelt "

Again I ask you how can CFScript be incorrectly spelt? Furthermore since this is getting aso ridiculous, how shall I handle #7 if I keep getting getting the same reply as indicated above?

You told me to uninstall and reinstall Combofix which I did, three times, yet I still continue to get the same error message.

#7 cannot be answered with these conditions.

I await your answer to my problem.

broni · 2010/07/15

OK. Delete your Combofix file, download fresh one, but rename combofix.exe to broni.com BEFORE saving it to your desktop.
Try to run my script again.

RickyD2 · 2010/07/15

Please give me the link to download Combofix, it seems to have dissapeared from this file.

broni · 2010/07/15

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

Log in or Sign up

Solved computer taken over by by virus

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved computer taken over by by virus

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches