Tech Support Team

danjmilos · #1 (**permalink**) **Top** 22nd March 2009, 01:27 PM

While I was doing my morning routine did a full MBAM scan nada. So here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:08 AM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Privacyware\Dynamic Security Agent\DSA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Privacyware\Dynamic Security Agent\pfsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Catalog Choice - Eliminate unwanted catalogs you receive in the mail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Catalog Choice - Eliminate unwanted catalogs you receive in the mail
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dynamic Security Agent] C:\Program Files\Privacyware\Dynamic Security Agent\DSA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe Reinstalling your Norton program after running the Norton Removal Tool
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sd...ad/tgctlcm.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1157415710169
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Privacyware network service (PFNet) - Privacyware/PWI, Inc. - C:\Program Files\Privacyware\Dynamic Security Agent\pfsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe

--
End of file - 10869 bytes

Dan

**evilfantasy** · #2 (**permalink**) **Top** 22nd March 2009, 05:13 PM

Did you install Privacyware?

Is this a company computer?

danjmilos · #3 (**permalink**) **Top** 22nd March 2009, 06:43 PM

EF,

Privacyware is the maker of Dynamic Security Agent (DSA) an add on security along the lines of PC Tools Threatfire.

Dan

It is my home computer.

**evilfantasy** · #4 (**permalink**) **Top** 22nd March 2009, 07:09 PM

You don't want to be over protected. Too many scanners will actually offer less protection. By the time they get done "arguing" over who is in charge the damage is done...

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe Reinstalling your Norton program after running the Norton Removal Tool

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

Download from DDS by sUBs and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* Double click on dds to run it.
* When done, DDS.txt will open.
* You will receive another prompt after a while. Click Yes at the prompt and for the next scan to complete.
* When done, Attach.txt will open.
* Please copy and paste the contents of DDS.txt and Attach.txt in your next reply.

danjmilos · #5 (**permalink**) **Top** 22nd March 2009, 07:42 PM

Isn't alcmtr part of Real Tech Audio? Will my audio be affected if it is deleted?

Dan

**evilfantasy** · #6 (**permalink**) **Top** 22nd March 2009, 07:52 PM

You don't have to remove it but it is an unnecessary part of Realtek. In many instances removing it will also improve your computers performance. Removing it will not effect how Realtek functions.

Quote:

alcmtr - ALCMTR.EXE - Program Information
Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers. If you delete this file, then you will not be able to properly update your drivers in the future. It is therefore recommended that you disable the startup instead.

PS. Fixing it with HJT is only disabling it from startup. You are not actually removing the file.

danjmilos · #7 (**permalink**) **Top** 22nd March 2009, 09:40 PM

EF

Should I do anything with my firewall?

Dan

**evilfantasy** · #8 (**permalink**) **Top** 22nd March 2009, 09:43 PM

Just turn it off before running ComboFix. If it will not turn off just don't let it block CF from running.

danjmilos · #9 (**permalink**) **Top** 22nd March 2009, 10:19 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 18:16:06.51 on Sun 03/22/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.2046 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning enabled* (Updated)
FW: Privatefirewall *disabled*
FW: Filseclab Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Privacyware\Dynamic Security Agent\pfsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download \dds.pif

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.catalogchoice.org/
mStart Page = hxxp://www.catalogchoice.org/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: AutorunsDisabled - No File
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [XFILTER] "c:\program files\filseclab\xfilter\xfilter.exe" -a
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Dynamic Security Agent] c:\program files\privacyware\dynamic security agent\DSA.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe " -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fil sec~1.lnk - c:\program files\common files\filseclab\FilMsg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpd igi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\autorunsdisabled\kodak software updater.lnk.disabled
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\filseclab\xfilter\XFILTER.DLL
DPF: Microsoft XML Parser for Java
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157415710169
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 XPacket;Filseclab Packet Filter;c:\windows\system32\xpacket.sys [2008-11-20 124752]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-3 114768]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.s ys [2007-11-22 87304]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [2008-4-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-4-3 138680]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-7-21 193888]
R2 PFNet;Privacyware network service;c:\program files\privacyware\dynamic security agent\pfsvc.exe [2007-11-22 349448]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-4-3 352920]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2008-11-26 384896]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wi ntv\HCWTVS~1.EXE [2008-12-26 815104]

=============== Created Last 30 ================

2009-03-22 18:02 <DIR> a-dshr-- C:\cmdcons
2009-03-22 17:51 161,792 a------- c:\windows\SWREG.exe
2009-03-22 17:51 98,816 a------- c:\windows\sed.exe
2009-03-17 18:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Privacyware
2009-03-17 18:25 <DIR> --d----- c:\program files\Privacyware
2009-03-16 21:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Arovax
2009-03-15 17:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-15 17:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-10 05:42 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-09 21:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

==================== Find3M ====================

2009-03-10 05:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-15 17:28 2,864 a------- c:\windows\system32\winsock.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-11 23:04 2,560 a------- c:\windows\_MSRSTRT.EXE
2007-03-13 17:11 3,633,152 a--sh--- c:\program files\ehthumbs.db
2008-06-03 18:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060320080 604\index.dat

============= FINISH: 18:16:40.16 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/15/2005 5:55:22 PM
System Uptime: 3/22/2009 6:06:04 PM (0 hours ago)

Motherboard: Intel Corporation | | D915GAG
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 182 GiB total, 146.868 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 2.408 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_058F&PID_9360\2004888
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_058F&PID_9360\2004888
Service: USBSTOR

Class GUID:
Description:
Device ID: ROOT\LEGACY_DTD\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_DTD\0000
Service:

==== System Restore Points ===================

RP882: 12/23/2008 9:22:36 PM - System Checkpoint
RP883: 12/25/2008 11:47:46 AM - Software Distribution Service 3.0
RP884: 12/26/2008 2:03:37 PM - System Checkpoint
RP885: 12/27/2008 7:17:16 PM - System Checkpoint
RP886: 12/29/2008 10:02:56 AM - Software Distribution Service 3.0
RP887: 12/30/2008 1:54:50 PM - System Checkpoint
RP888: 12/31/2008 2:39:19 PM - System Checkpoint
RP889: 1/1/2009 2:51:12 PM - System Checkpoint
RP890: 1/1/2009 6:01:12 PM - Software Distribution Service 3.0
RP891: 1/2/2009 4:07:01 PM - Revo Uninstaller's restore point - Filseclab Personal Firewall
RP892: 1/2/2009 4:07:22 PM - Removed Filseclab Personal Firewall
RP893: 1/2/2009 4:08:59 PM - Revo Uninstaller's restore point - Filseclab Personal Firewall
RP894: 1/3/2009 4:28:28 PM - System Checkpoint
RP895: 1/4/2009 7:59:47 PM - System Checkpoint
RP896: 1/5/2009 3:18:27 PM - Software Distribution Service 3.0
RP897: 1/6/2009 8:12:29 PM - System Checkpoint
RP898: 1/8/2009 9:48:39 AM - Revo Uninstaller's restore point - Belarc Advisor 7.2
RP899: 1/8/2009 9:50:33 AM - Revo Uninstaller's restore point - Belarc Advisor 7.2
RP900: 1/8/2009 5:17:32 PM - Revo Uninstaller's restore point - Online Armor 3.0
RP901: 1/8/2009 5:19:40 PM - Revo Uninstaller's restore point - Online Armor 3.0
RP902: 1/8/2009 5:40:58 PM - Revo Uninstaller's restore point - PC Tools Firewall Plus 4.0
RP903: 1/8/2009 5:42:37 PM - Revo Uninstaller's restore point - PC Tools Firewall Plus 4.0
RP904: 1/8/2009 6:00:52 PM - Software Distribution Service 3.0
RP905: 1/9/2009 8:37:08 AM - Revo Uninstaller's restore point - PC Tools Firewall Plus 4.0
RP906: 1/9/2009 8:39:06 AM - Revo Uninstaller's restore point - PC Tools Firewall Plus 4.0
RP907: 1/9/2009 8:54:55 AM - Agnitum Outpost Firewall 1.0 Installation
RP908: 1/9/2009 9:13:33 AM - Revo Uninstaller's restore point - Agnitum Outpost Firewall 1.0
RP909: 1/9/2009 9:16:39 AM - Revo Uninstaller's restore point - Agnitum Outpost Firewall 1.0
RP910: 1/9/2009 9:24:59 AM - Installed Filseclab Personal Firewall
RP911: 1/9/2009 9:41:33 AM - Restore Operation
RP912: 1/9/2009 9:46:19 AM - Software Distribution Service 3.0
RP913: 1/9/2009 10:42:03 AM - Revo Uninstaller's restore point - Filseclab Personal Firewall
RP914: 1/9/2009 10:43:25 AM - Revo Uninstaller's restore point - Filseclab Personal Firewall
RP915: 1/9/2009 10:56:24 AM - Restore Operation
RP916: 1/9/2009 3:05:45 PM - Restore Operation
RP917: 1/9/2009 5:39:50 PM - Restore Operation
RP918: 1/9/2009 6:00:14 PM - Software Distribution Service 3.0
RP919: 1/11/2009 11:18:58 AM - System Checkpoint
RP920: 1/11/2009 8:47:17 PM - Revo Uninstaller's restore point - Filseclab Personal Firewall
RP921: 1/11/2009 8:48:43 PM - Revo Uninstaller's restore point - Filseclab Personal Firewall
RP922: 1/11/2009 8:50:23 PM - Revo Uninstaller's restore point - Filseclab Personal Firewall
RP923: 1/11/2009 9:08:54 PM - Agnitum Outpost Firewall 1.0 Installation
RP924: 1/11/2009 10:20:28 PM - Installed Filseclab Personal Firewall
RP925: 1/12/2009 11:05:19 AM - Installed SUPERAntiSpyware Free Edition
RP926: 1/12/2009 2:41:00 PM - Software Distribution Service 3.0
RP927: 1/13/2009 2:51:21 PM - System Checkpoint
RP928: 1/14/2009 4:00:22 PM - Software Distribution Service 3.0
RP929: 1/14/2009 4:50:30 PM - Software Distribution Service 3.0
RP930: 1/14/2009 4:53:09 PM - Software Distribution Service 3.0
RP931: 1/15/2009 6:00:51 PM - Software Distribution Service 3.0
RP932: 1/17/2009 12:52:40 PM - System Checkpoint
RP933: 1/18/2009 5:55:04 PM - System Checkpoint
RP934: 1/19/2009 11:34:28 AM - Software Distribution Service 3.0
RP935: 1/21/2009 3:47:27 PM - System Checkpoint
RP936: 1/22/2009 10:47:10 AM - Software Distribution Service 3.0
RP937: 1/23/2009 1:21:41 PM - System Checkpoint
RP938: 1/24/2009 2:12:17 PM - System Checkpoint
RP939: 1/24/2009 2:51:51 PM - Revo Uninstaller's restore point - Move Networks Media Player for Internet Explorer
RP940: 1/24/2009 2:52:46 PM - Revo Uninstaller's restore point - Move Networks Media Player for Internet Explorer
RP941: 1/24/2009 2:57:26 PM - Revo Uninstaller's restore point - Move Networks Media Player for Internet Explorer
RP942: 1/24/2009 2:58:06 PM - Revo Uninstaller's restore point - Move Networks Media Player for Internet Explorer
RP943: 1/25/2009 6:22:54 PM - System Checkpoint
RP944: 1/26/2009 1:25:13 PM - Software Distribution Service 3.0
RP945: 1/26/2009 10:08:21 PM - Installed Java(TM) 6 Update 11
RP946: 1/27/2009 4:24:34 PM - Revo Uninstaller's restore point - Spybot - Search & Destroy
RP947: 1/27/2009 4:27:13 PM - Revo Uninstaller's restore point - Spybot - Search & Destroy
RP948: 1/28/2009 4:50:12 PM - Revo Uninstaller's restore point - Smart Defrag 1.03
RP949: 1/28/2009 4:51:41 PM - Revo Uninstaller's restore point - Smart Defrag 1.03
RP950: 1/29/2009 6:34:14 PM - Software Distribution Service 3.0
RP951: 1/31/2009 2:37:40 PM - System Checkpoint
RP952: 2/1/2009 4:55:57 PM - System Checkpoint
RP953: 2/2/2009 5:11:18 PM - System Checkpoint
RP954: 2/2/2009 6:02:35 PM - Software Distribution Service 3.0
RP955: 2/3/2009 6:42:48 PM - System Checkpoint
RP956: 2/4/2009 6:52:32 PM - System Checkpoint
RP957: 2/5/2009 10:09:37 AM - Software Distribution Service 3.0
RP958: 2/6/2009 5:53:51 PM - System Checkpoint
RP959: 2/7/2009 6:39:21 PM - System Checkpoint
RP960: 2/8/2009 7:53:12 PM - System Checkpoint
RP961: 2/9/2009 3:01:52 PM - Software Distribution Service 3.0
RP962: 2/10/2009 5:11:21 PM - Software Distribution Service 3.0
RP963: 2/12/2009 6:44:18 PM - System Checkpoint
RP964: 2/13/2009 6:00:19 PM - Software Distribution Service 3.0
RP965: 2/15/2009 9:56:32 AM - System Checkpoint
RP966: 2/16/2009 2:08:16 PM - System Checkpoint
RP967: 2/16/2009 6:00:53 PM - Software Distribution Service 3.0
RP968: 2/17/2009 6:54:55 PM - System Checkpoint
RP969: 2/19/2009 4:01:47 PM - Software Distribution Service 3.0
RP970: 2/20/2009 4:16:55 PM - Revo Uninstaller's restore point - ThreatFire
RP971: 2/20/2009 4:19:37 PM - Revo Uninstaller's restore point - ThreatFire
RP972: 2/20/2009 4:20:53 PM - Revo Uninstaller's restore point - ThreatFire
RP973: 2/21/2009 5:14:17 PM - System Checkpoint
RP974: 2/23/2009 2:41:08 PM - Software Distribution Service 3.0
RP975: 2/24/2009 4:31:28 PM - Software Distribution Service 3.0
RP976: 2/25/2009 5:55:33 PM - Software Distribution Service 3.0
RP977: 2/26/2009 7:02:07 PM - System Checkpoint
RP978: 2/27/2009 5:27:54 AM - Software Distribution Service 3.0
RP979: 2/28/2009 11:52:54 AM - System Checkpoint
RP980: 3/2/2009 2:15:52 PM - Software Distribution Service 3.0
RP981: 3/2/2009 7:41:16 PM - Cleaned registry with Windows Live OneCare safety scanner
RP982: 3/4/2009 6:58:29 PM - System Checkpoint
RP983: 3/5/2009 5:36:02 PM - Software Distribution Service 3.0
RP984: 3/5/2009 5:55:51 PM - Software Distribution Service 3.0
RP985: 3/5/2009 6:17:36 PM - Removed Opera 9.63
RP986: 3/5/2009 6:18:10 PM - Installed Opera 9.64
RP987: 3/8/2009 4:12:11 PM - System Checkpoint
RP988: 3/9/2009 8:53:36 AM - Software Distribution Service 3.0
RP989: 3/10/2009 4:41:38 AM - Removed Java(TM) 6 Update 11
RP990: 3/10/2009 4:42:19 AM - Installed Java(TM) 6 Update 12
RP991: 3/10/2009 5:00:25 PM - Software Distribution Service 3.0
RP992: 3/10/2009 8:07:51 PM - Software Distribution Service 3.0
RP993: 3/12/2009 11:07:39 AM - System Checkpoint
RP994: 3/12/2009 5:00:31 PM - Software Distribution Service 3.0
RP995: 3/13/2009 5:31:30 PM - System Checkpoint
RP996: 3/14/2009 1:28:25 PM - Revo Uninstaller's restore point - SUPERAntiSpyware Free Edition
RP997: 3/14/2009 1:28:42 PM - Removed SUPERAntiSpyware Free Edition
RP998: 3/14/2009 1:31:13 PM - Revo Uninstaller's restore point - SUPERAntiSpyware Free Edition
RP999: 3/14/2009 1:32:56 PM - Revo Uninstaller's restore point - Windows Defender
RP1000: 3/14/2009 1:33:21 PM - Removed Windows Defender
RP1001: 3/14/2009 1:35:55 PM - Revo Uninstaller's restore point - Windows Defender
RP1002: 3/14/2009 1:36:47 PM - Revo Uninstaller's restore point - Windows Defender
RP1003: 3/14/2009 1:37:41 PM - Revo Uninstaller's restore point - ESET Online Scanner
RP1004: 3/14/2009 1:38:21 PM - Revo Uninstaller's restore point - ESET Online Scanner
RP1005: 3/15/2009 4:39:39 PM - Revo Uninstaller's restore point - ThreatFire
RP1006: 3/15/2009 4:41:31 PM - Revo Uninstaller's restore point - ThreatFire
RP1007: 3/15/2009 5:21:43 PM - Installed SUPERAntiSpyware Free Edition
RP1008: 3/16/2009 8:27:16 PM - System Checkpoint
RP1009: 3/16/2009 9:46:15 PM - Software Distribution Service 3.0
RP1010: 3/16/2009 10:02:05 PM - Revo Uninstaller's restore point - Arovax Shield 2.1.103
RP1011: 3/16/2009 10:04:13 PM - Revo Uninstaller's restore point - Arovax Shield 2.1.103
RP1012: 3/17/2009 6:25:41 PM - Installed Dynamic Security Agent 2.0
RP1013: 3/18/2009 8:29:08 PM - System Checkpoint
RP1014: 3/20/2009 6:11:54 AM - System Checkpoint
RP1015: 3/21/2009 11:59:15 AM - System Checkpoint
RP1016: 3/21/2009 12:58:11 PM - Revo Uninstaller's restore point - WinPcap 4.0.2
RP1017: 3/21/2009 1:01:00 PM - Revo Uninstaller's restore point - WinPcap 4.0.2
RP1018: 3/22/2009 3:56:11 PM - System Checkpoint
RP1019: 3/22/2009 5:53:23 PM - ComboFix created restore point

==== Installed Programs ======================

4200
4200_Help
4200Tour
4200Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.1.0
AiO_Scan
AIOMinimal
AiOSoftware
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
BigFix
Bonjour
BufferChm
Cakewalk Pyro 5
CardRd81
CCleaner (remove only)
CCScore
Copy
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Panorama1Config
CR2
CreativeProjects
CueTour
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Digital Media Reader
DocProc
DocumentViewer
DocumentViewerQFolder
Dynamic Security Agent 2.0
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
eSupportQFolder
Fax
Filseclab Personal Firewall
FullDPAppQFolder
GdiplusUpgrade
Google Earth
Google Toolbar for Internet Explorer
Hauppauge English Help Files and Resources
Hauppauge WinTV
Hauppauge WinTV Infrared Remote
Hauppauge WinTV IR Blaster
Hauppauge WinTV Scheduler
Hauppauge WinTV TV Services
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
hp officejet 4200 series
HP Product Assistant
HP PSC & OfficeJet 3.5
HP Scanjet 4800 series
HP Solution Center & Imaging Support Tools 5.3
HP Update
hpg4850
hpg4850QFolder
HPProductAssistant
HPSystemDiagnostics
IE7Pro
InstantShare
InstantShareDevices
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo FilterSDK for Hauppauge
iTunes
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 12
kgcbase
Kodak EasyShare software
KSU
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Maxtor Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Digital Image Library 9 - Blocker
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Library 10
Microsoft Picture It! Premium 10
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft XML Parser
Move Networks Media Player for Internet Explorer
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Multimedia Keyboard Driver
nanoPEG-Editor 2.6.0 for WinTV
Napster Burn Engine
Nero BurnRights
Nero OEM
Notifier
OfotoXMI
Opera 9.64
OTtBP
OTtBPSDK
PanoStandAlone
PhotoGallery
PowerDVD
PrintScreen
QFolder
QuickProjects
QuickTime
RandMap
Readme
RealPlayer
Realtek High Definition Audio Driver
Revo Uninstaller 1.80
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SFR
SHASTA
SKIN0001
SkinsHP1
SkinsHP2
SKINXSDK
Smart Defrag 1.11
Smart Menus (Windows Live Toolbar)
SoftV92 Data Fax Modem with SmartCP
SolutionCenter
Sonic Encoders
Sonic_PrimoSDK
Spybot - Search & Destroy
staticcr
SUPERAntiSpyware Free Edition
TrayApp
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Verizon Online
Verizon Online Consumer DSL 6.1
Verizon Online Help & Support
Verizon Online Help and Support
Viewpoint Media Player
VPRINTOL
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Writer
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB890760
Windows XP Media Center Edition 2005 KB895198
Windows XP Media Center Edition 2005 KB895678
Windows XP Service Pack 3
WIRELESS

==== Event Viewer Messages From Past Week ========

3/22/2009 6:07:02 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================
EF
Hope it's enough.
Dan

danjmilos · #10 (**permalink**) **Top** 22nd March 2009, 11:00 PM

forgot the combofix.ComboFix 09-03-22.01 - Owner 2009-03-22 18:03:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1929 [GMT -4:00]
Running from: c:\documents and settings\Owner\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download \ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning disabled* (Updated)
FW: Filseclab Personal Firewall *enabled*
FW: Privatefirewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-22 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-17 22:52 --------- d-----w c:\program files\WinTV
2009-03-17 22:25 --------- d-----w c:\program files\Privacyware
2009-03-17 22:25 --------- d-----w c:\documents and settings\All Users\Application Data\Privacyware
2009-03-17 01:51 --------- d-----w c:\documents and settings\All Users\Application Data\Arovax
2009-03-15 21:21 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-15 21:21 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-03-15 21:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-15 20:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 16:27 --------- d-----w c:\program files\QuickTime
2009-03-12 15:12 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-10 09:42 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-10 09:42 --------- d-----w c:\program files\Java
2009-03-10 01:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-10 01:50 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-10 01:49 --------- d-----w c:\documents and settings\Owner\Application Data\Symantec
2009-03-10 01:44 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-05 23:18 --------- d-----w c:\program files\Opera
2009-03-02 22:25 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-26 10:23 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-15 21:28 2,864 ----a-w c:\windows\system32\winsock.dll
2009-02-11 22:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-01 13:55 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-28 21:54 --------- d-----w c:\program files\IObit
2009-01-28 21:54 --------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-01-12 03:04 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2007-03-13 21:11 3,633,152 --sha-w c:\program files\ehthumbs.db
2008-06-03 22:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060320080 604\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"XFILTER"="c:\program files\Filseclab\xfilter\xfilter.exe" [2006-12-23 901120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-07 185896]
"Dynamic Security Agent"="c:\program files\Privacyware\Dynamic Security Agent\DSA.exe" [2007-11-22 2376968]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-12 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2008-11-20 319488]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
kodak software updater.lnk.disabled [2009-01-11 1996]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-12-01 15:00 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-07 20:18 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP

COM(135)

R0 XPacket;Filseclab Packet Filter;c:\windows\system32\xpacket.sys [2008-11-20 124752]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-03 114768]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.s ys [2007-11-22 87304]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [2008-04-03 20560]
R2 PFNet;Privacyware network service;c:\program files\Privacyware\Dynamic Security Agent\pfsvc.exe [2007-11-22 349448]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2008-11-26 384896]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\Wi nTV\HCWTVS~1.EXE [2008-12-26 815104]
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 19:15]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-02-24 23:23]

2008-12-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 16:31]

2009-03-22 c:\windows\Tasks\User_Feed_Synchronization-{9A43AD9E-7DD2-4D5F-829C-E53517E3D7BC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 13:58]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.catalogchoice.org/
mStart Page = hxxp://www.catalogchoice.org/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll
LSP: c:\program files\Filseclab\xfilter\XFILTER.DLL
DPF: Microsoft XML Parser for Java
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 18:07:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\pfproc.dll

- - - - - - - > 'lsass.exe'(852)
c:\program files\Filseclab\xfilter\XFILTER.DLL
c:\windows\system32\pfproc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Real\RealPlayer\realplay.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-03-22 18:11:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 22:11:16

Pre-Run: 157,774,049,280 bytes free
Post-Run: 157,670,866,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windo ws XP Media Center Edition" /noexecute=optin /fastdetect

217 --- E O F --- 2009-03-17 01:47:45

thought I lost it.

danjmilos · #11 (**permalink**) **Top** 23rd March 2009, 12:05 AM

10 EDT bed time, 9:30 check

**evilfantasy** · #12 (**permalink**) **Top** 23rd March 2009, 01:16 AM

ComboFix removed the Winpcap files.

Go to Add/Remove Programs and uninstall:

J2SE Runtime Environment 5.0 Update 2
Viewpoint Media Player

----------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

DDS::
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

danjmilos · #13 (**permalink**) **Top** 23rd March 2009, 01:36 AM

It will have to be tomorrow to tired. Saved combofix to desktop, icon was there before reboot but not now, so how do I get my icon back?

Goodnight
Dan

**evilfantasy** · #14 (**permalink**) **Top** 23rd March 2009, 01:41 AM

Download ComboFix again.

danjmilos · #15 (**permalink**) **Top** 23rd March 2009, 07:22 PM

After I download follow post 16? Or something else.

**evilfantasy** · #16 (**permalink**) **Top** 23rd March 2009, 07:38 PM

I need the log from post #12

danjmilos · #17 (**permalink**) **Top** 23rd March 2009, 08:41 PM

EF
Pulling my own teeth as a kid was easier!!!
Dan

ComboFix 09-03-22.01 - Owner 2009-03-23 16:27:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.2097 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090322-0] *On-access scanning disabled* (Updated)
FW: Filseclab Personal Firewall *enabled*
FW: Privatefirewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-17 18:25 . 2009-03-17 18:25 <DIR> d-------- c:\program files\Privacyware
2009-03-17 18:25 . 2009-03-17 18:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Privacyware
2009-03-16 21:51 . 2009-03-16 21:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Arovax
2009-03-15 17:21 . 2009-03-15 17:21 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-15 17:20 . 2009-03-15 17:20 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-10 05:42 . 2009-03-10 05:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-09 21:44 . 2009-03-09 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-23 09:34 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-23 09:32 --------- d-----w c:\program files\Java
2009-03-22 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-17 22:52 --------- d-----w c:\program files\WinTV
2009-03-15 21:21 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-03-15 20:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 16:27 --------- d-----w c:\program files\QuickTime
2009-03-12 15:12 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-10 01:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-10 01:50 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-10 01:49 --------- d-----w c:\documents and settings\Owner\Application Data\Symantec
2009-03-05 23:18 --------- d-----w c:\program files\Opera
2009-03-02 22:25 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-26 10:23 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-11 22:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-01 13:55 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-28 21:54 --------- d-----w c:\program files\IObit
2009-01-28 21:54 --------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-01-12 03:04 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2007-03-13 21:11 3,633,152 --sha-w c:\program files\ehthumbs.db
2008-06-03 22:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060320080 604\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-22_18.10.02.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-23 20:31:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_41c.dat
+ 2009-03-23 20:31:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"XFILTER"="c:\program files\Filseclab\xfilter\xfilter.exe" [2006-12-23 901120]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-07 185896]
"Dynamic Security Agent"="c:\program files\Privacyware\Dynamic Security Agent\DSA.exe" [2007-11-22 2376968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-12 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2008-11-20 319488]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
kodak software updater.lnk.disabled [2009-01-11 1996]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-12-01 15:00 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-07 20:18 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP

COM(135)

R0 XPacket;Filseclab Packet Filter;c:\windows\system32\xpacket.sys [2008-11-20 124752]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-03 114768]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.s ys [2007-11-22 87304]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [2008-04-03 20560]
R2 PFNet;Privacyware network service;c:\program files\Privacyware\Dynamic Security Agent\pfsvc.exe [2007-11-22 349448]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2008-11-26 384896]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\Wi nTV\HCWTVS~1.EXE [2008-12-26 815104]
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 19:15]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-02-24 23:23]

2008-12-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 16:31]

2009-03-23 c:\windows\Tasks\User_Feed_Synchronization-{9A43AD9E-7DD2-4D5F-829C-E53517E3D7BC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 13:58]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.catalogchoice.org/
mStart Page = hxxp://www.catalogchoice.org/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll
LSP: c:\program files\Filseclab\xfilter\XFILTER.DLL
DPF: Microsoft XML Parser for Java
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 16:32:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\pfproc.dll

- - - - - - - > 'lsass.exe'(860)
c:\program files\Filseclab\xfilter\XFILTER.DLL
c:\windows\system32\pfproc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\dllhost.exe
.
************************************************** ************************
.
Completion time: 2009-03-23 16:35:50 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-03-23 20:35:46
ComboFix2.txt 2009-03-23 20:06:31
ComboFix3.txt 2009-03-22 22:11:23

Pre-Run: 157,479,718,912 bytes free
Post-Run: 157,459,861,504 bytes free

201 --- E O F --- 2009-03-17 01:47:45

**evilfantasy** · #18 (**permalink**) **Top** 23rd March 2009, 09:04 PM

OK that looks good.

How is the computer acting now?

danjmilos · #19 (**permalink**) **Top** 23rd March 2009, 10:07 PM

EF,

It seems smoother going from one page to the next not that little hesitation it had sometimes. Everything seems to be working good, I'll know better when I do some more vinyl transfers in a few days. Those empty numbered files, what were they anyway? I'll keep the logs afew weeks and ComboFix stays on the desktop. I've been changing my security around, DSA is going like Threatfire, to many alerts for my wife who doesn't know how to handle them. Just sitting and watching scans for MBAM, SAS, avast, and what not else I've gotten use to what programs the initials belong to. Should I delete all previous restore points to avoid putting them back on? I've remove Viewpoint a few times in the past used Revo on it, it touched all players on my computer. Murphy took over in a few spots, internet dropped at times downloading and with every reboot had to shut security off again. I want to THANK YOU LOADS. I'm going to list you as a friend if you don't mind.

Dan

Life gets in the way of life!

**evilfantasy** · #20 (**permalink**) **Top** 23rd March 2009, 10:20 PM

OK lets do some clean up now and remove old restore points etc. ComboFix needs to be removed. It's not a tool that should be run just whenever. It can do just as much damage as it does good so is to be used with caution.

As far as security you have two firewalls installed. It only looks like one is active so it should be OK. Note that ThreatFire is very similar to a firewall in it is a behavior based detector. Also too much real-time security is never a good thing.

Real time protection:
One antivirus
One firewall
One antispyware like ThreatFire or the paid version of MalwareBytes
Windows Defender can usually run along with anything.

On demand scanners like MalwareBytes and Spybot or SUPERAntiSpyware. You can have as many as you like but the ones I just listed are the best.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.

The above procedure will:

Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.