Windows Protection Suite - Spyware? Virus?

**Mooseknuckle** · #21 16th Sep 2009, 16:32

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 19:30:23.28 on Wed 09/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.760.428 [GMT -4:00]

AV: Windows Protection Suite *On-access scanning enabled* (Updated) {677428D5-7C2D-4960-80AE-BF474FC10ED4}
AV: avast! antivirus 4.8.1229 [VPS 090131-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Windows Protection Suite *enabled* {9BCFE7BB-61FF-49CB-8D0F-A662491F6E20}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://srch-qus8.hpwis.com/
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Microsoft Internet Explorer presented by Comcast
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {D6A116E7-5906-42E4-87F6-E7E15936415E} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb1 2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profile s\ax0v6dfa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search= yesab&query=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-6-20 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-20 607576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [2008-6-20 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2007-11-19 147640]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2007-11-19 250040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2007-11-19 348344]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]
S2 mrtRate;mrtRate; [x]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);c:\windows\system32\drivers\ZD1211U.s ys [2005-8-24 273408]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2005-8-24 19200]

=============== Created Last 30 ================

2009-09-16 18:03 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-09-16 18:00 <DIR> --d----- c:\windows\ERUNT
2009-09-16 17:55 <DIR> --d----- C:\SDFix
2009-09-14 21:51 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-09-14 21:49 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-09-14 20:24 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-09-14 20:24 <DIR> --d----- c:\windows\ie8updates
2009-09-14 20:20 <DIR> -cd-h--- c:\windows\ie8
2009-09-14 19:04 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 19:04 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-14 18:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-14 18:02 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-14 18:02 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-09-09 06:13 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\lsasrv.dll
2008-12-20 16:38 42,064 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2008-01-02 21:01 1,509,118 a------- c:\program files\marshal picture.jpg
2007-01-13 00:38 407,680 a------- c:\program files\Install_AIM.exe
2006-12-07 22:28 5,900,416 a------- c:\program files\Firefox Setup 2.0.exe
2006-10-24 20:00 1,609,094 a------- c:\program files\house2.skp
2006-09-02 20:03 190,048 a------- c:\program files\Morpheus.exe
2004-12-29 20:30 0 ----h--- c:\program files\AppUpdate.log
1998-12-08 17:53 186,368 ac------ c:\program files\common files\IRAREG.DLL
1998-12-08 17:53 99,840 ac------ c:\program files\common files\IRAABOUT.DLL
1998-12-08 17:53 70,144 ac------ c:\program files\common files\IRAMDMTR.DLL
1998-12-08 17:53 48,640 ac------ c:\program files\common files\IRALPTTR.DLL
1998-12-08 17:53 31,744 ac------ c:\program files\common files\IRAWEBTR.DLL
1998-12-08 17:53 17,920 ac------ c:\program files\common files\IRASRIAL.DLL
2004-04-12 13:42 32 ac-sh--- c:\windows\{46313D91-E12B-40A2-B52A-440B5497AFE5}.dat
2008-11-06 21:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110620081 107\index.dat

============= FINISH: 19:30:42.95 ===============

**evilfantasy** · #22 16th Sep 2009, 16:43

Go to Add or Remove Programs and uninstall (if found)

MarketResearch

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

DDS::
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {D6A116E7-5906-42E4-87F6-E7E15936415E} - No File
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the Desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

----------

**Mooseknuckle** · #23 16th Sep 2009, 17:35

ComboFix 09-09-16.01 - Owner 09/16/2009 20:08.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.760.406 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 090131-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Altnet
c:\program files\Altnet\Download Manager\asmps.dll
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cvd.cab
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\Downloaded Program Files\MiniBugTransporter.dll
c:\windows\Installer\15ce7.msi
c:\windows\Installer\15fd5.msp
c:\windows\Installer\1607f7.msi
c:\windows\Installer\19a65c6f.msi
c:\windows\Installer\1d20cb16.msp
c:\windows\Installer\1d20cb52.msp
c:\windows\Installer\315cdc.msi
c:\windows\Installer\4871bbb4.msi
c:\windows\Installer\4871bbc1.msi
c:\windows\Installer\4871bbcc.msi
c:\windows\Installer\4e20cb2.msp
c:\windows\Installer\7ca786.msi
c:\windows\Installer\877469.msi
c:\windows\Installer\8d08c.msi
c:\windows\MailSwitch.ocx
c:\windows\MSKNWRD.dll
c:\windows\system32\651006156.exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-16 22:03 . 2009-09-16 22:03 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-09-16 22:00 . 2009-09-16 22:00 -------- d-----w- c:\windows\ERUNT
2009-09-16 21:55 . 2009-09-16 22:31 -------- d-----w- C:\SDFix
2009-09-15 01:51 . 2009-09-15 01:51 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-09-15 01:50 . 2009-09-15 01:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-15 01:49 . 2009-09-15 01:49 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-09-15 00:24 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-15 00:24 . 2009-09-16 07:01 -------- d-----w- c:\windows\ie8updates
2009-09-15 00:22 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-15 00:22 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-15 00:20 . 2009-09-15 00:22 -------- dc-h--w- c:\windows\ie8
2009-09-14 23:04 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 23:04 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-14 22:02 . 2009-09-14 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-14 22:02 . 2009-09-14 22:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-14 22:02 . 2009-09-14 22:02 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-09-09 10:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-17 00:18 . 2007-11-19 23:51 -------- d-----w- c:\program files\Avast4
2009-09-14 23:04 . 2008-04-12 00:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 22:02 . 2007-08-27 21:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-14 21:53 . 2008-04-10 02:40 -------- d-----w- c:\program files\Ccleaner
2009-08-25 01:10 . 2006-05-06 00:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express
2009-08-05 09:01 . 2002-12-12 14:14 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-04-25 16:17 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2003-04-10 10:18 233472 ------w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-07 01:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2003-04-25 16:24 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-04-25 16:24 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2003-04-25 15:46 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-04-25 15:44 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-04-25 15:44 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-04-25 15:44 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2003-04-10 09:37 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2008-01-03 01:01 . 2008-01-03 01:00 1509118 ----a-w- c:\program files\marshal picture.jpg
2007-01-13 04:38 . 2007-01-13 04:38 407680 ----a-w- c:\program files\Install_AIM.exe
2006-12-08 02:28 . 2006-12-08 02:28 5900416 ----a-w- c:\program files\Firefox Setup 2.0.exe
2006-10-25 00:00 . 2006-10-25 00:00 1609094 ----a-w- c:\program files\house2.skp
2006-09-03 00:03 . 2006-09-03 00:02 190048 ----a-w- c:\program files\Morpheus.exe
2004-12-30 00:30 . 2004-12-30 00:30 0 ---h--w- c:\program files\AppUpdate.log
1998-12-08 21:53 . 1998-12-08 21:53 99840 -c--a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-08 21:53 . 1998-12-08 21:53 70144 -c--a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 21:53 . 1998-12-08 21:53 48640 -c--a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-08 21:53 . 1998-12-08 21:53 31744 -c--a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 21:53 . 1998-12-08 21:53 186368 -c--a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-08 21:53 . 1998-12-08 21:53 17920 -c--a-w- c:\program files\Common Files\IRASRIAL.DLL
2009-09-16 21:54 . 2006-12-08 02:28 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-09-16 21:54 . 2006-12-08 02:28 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-09-16 21:54 . 2006-12-08 02:28 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-09-16 21:54 . 2006-12-08 02:28 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-09-16 21:54 . 2006-12-08 02:28 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2004-04-12 17:42 . 2004-04-12 17:42 32 -csha-w- c:\windows\{46313D91-E12B-40A2-B52A-440B5497AFE5}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb12.exe" [2005-03-08 176128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2005-08-02 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11b+g USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\802.11b+g USB Wireless LAN Utility.lnk
backup=c:\windows\pss\802.11b+g USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=c:\windows\pss\TrueAssistant.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/20/2008 9:18 AM 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [6/20/2008 9:18 AM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S2 mrtRate;mrtRate; [x]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);c:\windows\system32\drivers\ZD1211U.s ys [8/24/2005 1:53 PM 273408]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [8/24/2005 1:53 PM 19200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://srch-qus8.hpwis.com/
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ax0v6dfa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search= yesab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 20:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avast4\aswUpdSv.exe
c:\program files\Avast4\ashServ.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Avast4\ashMaiSv.exe
c:\program files\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Avast4\ashDisp.exe
.
************************************************** ************************
.
Completion time: 2009-09-17 20:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 00:30
ComboFix2.txt 2008-04-12 01:30

Pre-Run: 53,700,952,064 bytes free
Post-Run: 53,685,456,896 bytes free

265 --- E O F --- 2009-09-16 07:01

**evilfantasy** · #24 16th Sep 2009, 17:37

Well that found more than what I thought it would.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

**Mooseknuckle** · #25 16th Sep 2009, 18:39

i have done everything.....now i am running the ESET Scan again because it did not come up with a log to post after it was done??

**Mooseknuckle** · #26 16th Sep 2009, 18:50

once completed it just says no threats found...

**evilfantasy** · #27 16th Sep 2009, 20:35

OK that's a good thing.

If there are no more malware symptoms we can finish up now.

Download OTM by OldTimer and place it on your desktop. (unless you already have it)

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

Make sure all of your security programs are up to date and run scans with them regularly.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

**Mooseknuckle** · #28 18th Sep 2009, 07:23

Thanks a lot evil....appreciated

**tom91** · #29 30th Sep 2009, 14:10

I think you've probably fallen victim to Security Veteran, which is a bogus anti-virus program.