perrymc

Ran the new copy of combofix. The previous runs of combofix produced much smaller files 14kb and 15kb. Since this one is 786kb, I chose to attach it rather than copy and paste. Not sure if that was the right thing to do or not. ComboFix.txt

Good morning! Since I cannot do a screen capture, here is what I have found ... My ethernet and wireless adapters are working okay ... I don't think we need to uninstall these drivers but still can if we decide to. WORKING- these two have properties tabs 'advanced', 'resource's and 'powermanagement' that the ones not working do not have. The working two are from microsoft and texas instruments: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) 802.11g Wireless PCI Card NOT WORKING: ! 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - WinpkFilter Miniport ! 802.11g Wireless PCI Card - WinpkFilter Miniport ! NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) - WinpkFilter Miniport ! WAN Miniport (IP) - WinpkFilter MiniporT 1) I can enable/disable them but cannot uninstall in any mode 2) I went into properties for all four. They are identical except for the Device Instance Id: Properties General Tab: Manufacturer - NTKR Properties Driver Tab: Driver Provider - NTKR Driver Date - 10/20/2005 Driver Vsn - 3.0.0.1 Driver Details: C:\windows\system32\drivers\Ndisrd.sys Provider: NT Kernel Resources File Vsn: 3.0.4.1 Copyright: NT Kernel Resources 2000-2008 Not digitally signed Details Tab: drop down menu has "Driver Instance Id" selected for all four. The box below "Driver Instance Id" only varies by one digit the portion in parens only identifies the adapter I am refering to (3Com 3C920 ... winpkFilter ...) ROOT\NT_NDISRDMP\0003 (802.11g ...winpkFilter ...) ROOT\NT_NDISRDMP\0001 (NETGEAR FA3 ...winpkFilter ...) ROOT\NT_NDISRDMP\0000 (WAN Miniport... WinpkFilter ...) ROOT\NT_NDISRDMP\0002 3) C:\windows\system32\drivers\Ndisrd.sys does exist. I have not tried to delete or remove it. A search of the registry did not show a reference to Ndisrd.sys but did show entries for NDISRDMP as follows: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#Root#NT_NDISRDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware\Profiles\Current\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Ndisrd HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#Root#NT_NDISRDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Ndisrd HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#Root#NT_NDISRDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisrd HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\NT_NDISRDMP 4) I am pretty sure Ndisrd.sys and NDISRDMP are malware and should be removed. Some solutions point to deleting the registry entries that refer to "ROOT\NT_NDISRDMP\0000", ....\0001 .... \0002 and \0003, specifically those under the HKLM\system\CurrentControlSet\Enum location. Perhaps one or all ....It seems once the registry entry is gone, the lock on the entry in device manager will be removed and that device can be uninstalled ... I don't know on this one ... definitely need ur guidance on this. I have not done anything beyond looking

Hi, I don't think my Clipboard function is working right now ... I am unable to capture prt screen and paste here or to notepad (can I do that?) or wordpad (program is missing). Please bear with me ... my two primary network adapters are working just fine ... I am confident the affected network adapters are part of the malware and there are remnants of it in the registry and system32 folder that is blocking the removal of these adapters. I will work up some details and info about the entries for you and post tomorrow. g'nite for now

Ok, disabled the flagged network adapters in safe mode. Rebooted in safe mode, tried to delete but got same message "Failed to uninstall ...."

I will be using a 500gb Western Digital drive and WD is providing a free copy of Acronis True Image WD Edition. It will work to image any drive over to a WD drive. Been readin' the WD forums n think it should go ok. Will keep readin' to be sure I am ready for any troubles that may come up. Just not sure when I will go for it. Looks like it will be a little easier than I thought .... knock on wood! Tried to uninstall the Network adapter entries... "Failed to uninstall the device. The device may be required to boot up the computer." I tried to uninstall in regular mode, safe mode and safe mode with networking. Same message in all three. Will google this and wait your thoughts too.

Yes! some success. SP3 did install but the problem of no ip address, no network and no ability to connect to the internet did not change. So, since the 'netsh winsock reset' back in post #12 did not resolve it back then, I chose to run a small utility 'WinsockxpFix' that resets winsock but also cleans up registry problems associated with the network. It worked .. my network places, ip address and internet connectivity were all restored. Right now I haven't tried using the system much to see if anything else is going on. I still have the Device Manager issue from post #11 with the Network adapter entries having an exclamation point but that appears to be something to be managed for now. So, let me know if we are ready for Defogger or if you want new scans first ..... Thanks so much for your enduring patience!

Okay, quick update ... I guess it was not hung like I thought ... just had the completing installation screen pop up (1 or 2 hours later didnt track time ... am I bad). Will restart and follow-up with another post.

Yeah, not to clear huh? I thought I would partition the 500gb drive and assumed it would be necessary to create a partition that matches the size of the 40gb drive I would be replacing. Of course, this is also assuming the old 40gb drive is functioning properly and the old 40gb drive can be cloned to the new partition. The reason I wanted to do it this way is I do not own a copy of Win XP for that system to do a clean install. Anyway, I tried to install SP3 and it hung during the 'finishing installation' , 'performing cleanup' phase. I started by copying the standalone version of SP3 to the desktop and running it (I have a copy SP3 iso boot version but Microsoft says to use the standalone version if only updating one computer). Not sure if it matters but prior to that I had hooked up a 1Tb external drive (drive f:) and backed up my documents and files. What I forgot to do was dismount and disconnect the drive when I was done. As a result when I executed SP3, it extracted its files to that drive (it did not give me a choice). Everything seemed to be going okay ... it backed up files and registry... installed files then just hung. I wasn't watching the screen so I do not know how far into finishing installation it ran before it hung. The blue progression bar for the whole process appears to be about 5/6 or 6/7's complete (best guess). The Back, Finish, Cancel buttons are greyed out. The Help button is the only one selectable. The light on the front of my external drive is on making it appear the drive is being accessed (it is not flashing showing normal activity). Also, once in a while the desktop will flicker but not show any other activity. That is where the system sits until you advise .... loads of funs !

SP3 it is then! Will update you this weekend. Most likely on Sunday. Very busy today. I really want to upgrade my hard drive from the 40gb it is to a 500gb drive. I think I want to partition the 500 so it has a matching 40gb boot partition that I can clone the old drive over to and boot from the new drive. Since I don't have the original software, not sure if it can be done. Could you point me to a source to learn more about what is involved? In the meantime, recovery via SP3 is what I am doing. Do understand this is not in the scope of this post so I am just fine if u have no feedback this item ... I am ok googling for the info, just been hard for me to find a really good site for this. Thank you, thank you, nnnnnnnnnnnn did I say thank you?!

Thanks screen317, Sorry for the delay in responding. Had some other stuff happening. Thank you for helping me clean up the malware. I deleted the two folders. I am not sure where you wanted me to download XP SP3 from. You mention 'here' but I did not see a link. I went to Microsoft downloads and got a copy so I should be all set with that. Is it okay to run DeFogger Re-Enable now? I would like to be sure everything else is restored before continuing. I may try to use Spotmau Powersuite Pro 2008 (have used it to recover my daughters laptop from BSOD) or maybe a repair (friend has XP Pro SP2 disk) before I make the leap to SP3. Not against SP3, just not entirely for it either. Thanks, await your word on DeFogger and will follow-up with how SP3 went if I ultimately do it! Will post either way.

ok followup I went into a command prompt and typed ipconfig. It returned the heading Windows IP Configuration but went right back to the c: prompt. There was not information posted about the ethernet adapter Wireless Network Connection or Local Area Connection. It looks like no ip address is being assigned. I also tried ipconfig /release and ipconfig /renew with the same result as just ipconfig. Cannot see an ip address for this machine.

Yes, I have a router. I tried bypassing the router both in regular mode and safe mode straight to the modem with no change. My other computers have access via router without problem. I did also lose my network places icons on the infected computer at the same time I lost internet connection after running combofix, so I am assuming my network setting have been affected the same way. (I recall a message some time ago about Registry errors but I don't remember the context). I assume the infection has been cleaned up and we are now looking to restore function? So would restoring settings stopped by Defogger, then possibly running system repair maybe help? (I do not have the XP install disks for this system but might be able to get another install disk ...) (also I have never done a system repair before so it would be all new to me) I await your guidance

response to ping microsoft.com returned 'ping request could not find host microsoft.com. Please check the name and try again."

Please, no apologies! We are thankful people like you take the time to learn how to do this and share your skills with the rest of us! I deleted the folders per your request. Okay, the network connections (wireless and LAN) both show connected despite the problem I stated earlier about Network Connections in Device Manager (which stll exists). Unfortunately, something is blocking the connections. Here is what I can share: 1) Opening IE returns "Internet Explorer cannot display the webpage" Internet options > Connections > LAN settings are set to auto detect and proxy server is unchecked. 2) Tried Opera and could get Google home page but any attempt to search returns "Could not locate remote server" 3) I thought I would try to update Malwarebytes via the Update tab to see if it could connect -- It returned "An error has occurred. Please report this error code to our support team. MBAM_ERROR_UPDATING (12007,0,WinHttpSendRequest) Not sure what else to try. I will be away from the computer for a 1-2 days, so as always -- at your convenience!

Ok deleted combofix, redownloaded and ran along with new dds. Here are the logs. I could not find monipu32.exe in the startup folder and a windows explorer search could not find it. I did have show hidden and system files checked. The Startup folder properties do show 1 file 84 bytes but I cannot see it. ComboFix 10-09-09.04 - NAU 09/11/2010 6:11.6.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.335 [GMT -7:00] Running from: c:\documents and settings\NAU\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\NAU\Desktop\CFScript.txt AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\NAU\Application Data\hvyacl.dat c:\documents and settings\NetworkService\Application Data\hvyacl.dat c:\program files\Common Files\winafx.log c:\windows\system32\drivers\logiflt.iad c:\windows\system32\drivers\lvuvc.hs c:\windows\TEMP\logishrd\LVPrcInj01.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSWA-C935C299 -------\Legacy_MSWA-F36DECBB -------\Legacy_ZOKXQS -------\Service_MSWA-c935c299 -------\Service_MSWA-f36decbb -------\Service_zokxqs ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 ))))))))))))))))))))))))))))))) . 2010-08-20 13:25 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\NAU\Application Data\Simply Super Software\Trojan Remover\jbk3.exe 2010-08-19 18:33 . 2010-08-19 18:33 -------- d-----w- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7\Application Data\Simply Super Software 2010-08-19 18:33 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7\Application Data\Simply Super Software\Trojan Remover\cab1.exe 2010-08-19 18:11 . 2010-08-20 13:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-08-19 18:09 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2010-08-19 18:09 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2010-08-19 18:09 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2010-08-19 18:09 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2010-08-19 18:09 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\program files\Trojan Remover 2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\documents and settings\NAU\Application Data\Simply Super Software 2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2010-08-13 07:06 . 2010-08-13 07:06 -------- d-----w- c:\windows\system32\wbem\Repository 2010-08-13 07:05 . 2010-08-13 07:05 -------- d-----w- c:\windows\ShellNew 2010-08-13 07:05 . 2010-08-13 07:05 -------- d-----w- c:\program files\Microsoft ActiveSync 2010-08-13 07:02 . 2010-08-13 07:02 -------- d-----w- c:\program files\Roxio 2010-08-13 06:05 . 2010-08-13 07:02 -------- d-----w- c:\program files\Roxio(2) 2010-08-13 05:46 . 2009-02-04 23:59 61440 ----a-w- c:\windows\system32\cdrtc.dll 2010-08-13 05:46 . 2009-02-04 23:59 45056 ----a-w- c:\windows\system32\cdral.dll 2010-08-13 04:56 . 2010-08-13 04:58 -------- d-----w- c:\windows\SHELLNEW(2) . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-11 13:21 . 2010-09-11 13:21 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs 2010-09-07 16:27 . 2010-05-31 07:45 1744 ----a-w- c:\windows\system32\d3d9caps.dat 2010-08-31 13:58 . 2010-06-12 19:42 -------- d-----w- c:\documents and settings\NAU\Application Data\vlc 2010-08-30 16:30 . 2009-10-05 01:03 -------- d-----w- c:\program files\Opera 2010-08-29 19:46 . 2009-10-02 18:05 -------- d-----w- c:\documents and settings\NAU\Application Data\dvdcss 2010-08-18 13:49 . 2010-07-19 17:24 -------- d-----w- c:\program files\Common Files\WmiPlug 2010-08-13 07:02 . 2009-02-04 23:21 -------- d-----w- c:\program files\Common Files\Roxio Shared 2010-08-09 20:54 . 2010-08-09 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FirmTools 2010-08-09 20:54 . 2010-08-09 20:54 -------- d-----w- c:\program files\FirmTools 2010-08-08 16:20 . 2008-11-03 06:57 -------- d-----w- c:\program files\Vuze 2010-08-08 16:19 . 2008-10-22 00:08 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-08-08 16:18 . 2009-02-10 20:44 -------- d-----w- c:\program files\Readiris Pro 11 2010-08-08 16:18 . 2009-02-04 01:14 -------- d-----w- c:\program files\QuickTime 2010-08-08 16:18 . 2008-12-31 03:50 -------- d-----w- c:\program files\Photocopier 2010-08-08 16:17 . 2010-08-05 15:27 -------- d-----w- c:\program files\Microsoft 2010-08-08 16:17 . 2008-10-08 23:02 -------- d-----w- c:\program files\Magic Folders 2010-08-08 16:16 . 2009-12-03 20:44 -------- d-----w- c:\program files\ImgBurn 2010-08-08 16:16 . 2009-05-12 15:54 -------- d-----w- c:\program files\ffdshow 2010-08-08 16:15 . 2008-12-02 03:26 -------- d-----w- c:\program files\DVD Shrink 2010-08-08 16:15 . 2008-12-02 03:24 -------- d-----w- c:\program files\DVD Decrypter 2010-08-08 16:13 . 2010-06-15 13:44 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared 2010-08-08 16:13 . 2008-11-04 20:03 -------- d-----w- c:\program files\Ancient Sudoku 2010-08-08 15:50 . 2009-12-14 04:55 -------- d-----w- c:\documents and settings\NAU\Application Data\Isiva 2010-08-08 15:46 . 2009-09-03 22:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Aqofez 2010-08-07 23:35 . 2009-04-10 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-07 14:33 . 2010-08-05 15:27 -------- d-----w- c:\program files\riva 2010-08-07 03:09 . 2009-11-25 09:07 -------- d-----w- c:\documents and settings\Guest\Application Data\Ocufa 2010-08-06 02:25 . 2008-03-23 14:15 -------- d-----w- c:\program files\CCleaner 2010-08-05 23:56 . 2008-10-21 15:57 -------- d-----w- c:\documents and settings\NAU\Application Data\Covaq 2010-08-05 15:28 . 2009-06-20 15:04 -------- d-----w- c:\documents and settings\NAU\Application Data\Emog 2010-08-03 15:10 . 2009-02-04 23:40 -------- d-----w- c:\documents and settings\NAU\Application Data\Roxio 2010-08-03 00:12 . 2008-11-03 06:58 -------- d-----w- c:\documents and settings\NAU\Application Data\Azureus 2010-08-01 17:23 . 2010-06-07 03:47 1744 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp 2010-07-30 03:22 . 2010-07-30 03:22 -------- d-----w- c:\documents and settings\Guest\Application Data\CyberLink 2010-07-20 22:17 . 2008-12-02 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2010-07-19 17:15 . 2008-09-02 01:59 -------- d-----w- c:\documents and settings\NAU\Application Data\Skype 2010-07-19 15:02 . 2008-09-02 02:00 -------- d-----w- c:\documents and settings\NAU\Application Data\skypePM 2010-06-15 13:44 . 2010-06-15 13:44 14336 ----a-r- c:\documents and settings\NAU\Application Data\Microsoft\Installer\{9F185C48-595B-401A-A1D6-AAB324890DC4}\IconCBE855212.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Guest\Application Data\Ocufa ---- 2009-11-25 09:07 . 2010-08-07 03:09 6650 ----a-w- c:\documents and settings\Guest\Application Data\Ocufa\yvhu.tmp ---- Directory of c:\documents and settings\NAU\Application Data\Covaq ---- ---- Directory of c:\documents and settings\NAU\Application Data\Emog ---- 2010-08-05 23:31 . 2010-08-05 23:56 1165 ----a-w- c:\documents and settings\NAU\Application Data\Emog\odqa.quw 2009-06-20 15:04 . 2010-08-05 15:28 14809 ----a-w- c:\documents and settings\NAU\Application Data\Emog\odqa.tmp ---- Directory of c:\program files\riva ---- ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2010-06-15 17:10 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKLM\~\startupfolder\C:^Documents and Settings^NAU^Start Menu^Programs^Startup^monipu32.exe] path=c:\documents and settings\NAU\Start Menu\Programs\Startup\monipu32.exe backup=c:\windows\pss\monipu32.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "36000:TCP"= 36000:TCP:Azureus TCP "36000:UDP"= 36000:UDP:Azureus UDP R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/25/2010 2:00 PM 28552] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/8/2009 12:16 PM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 67656] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/8/2009 12:16 PM 20560] S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [10/20/2008 10:33 AM 32840] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 12872] S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [3/22/2008 10:09 PM 386688] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/1/2008 8:35 PM 717296] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\NAU\Application Data\Mozilla\Firefox\Profiles\gjvszn7m.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - mamma FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** disk not found C:\ please note that you need administrator rights to perform deep scan scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2052111302-113007714-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(404) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(4348) c:\windows\system32\WININET.dll c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\wscntfy.exe c:\windows\system32\devldr32.exe . ************************************************************************** . Completion time: 2010-09-11 06:31:16 - machine was rebooted ComboFix-quarantined-files.txt 2010-09-11 13:31 ComboFix2.txt 2010-09-07 17:56 ComboFix3.txt 2009-06-14 22:15 Pre-Run: 4,402,925,568 bytes free Post-Run: 4,389,658,624 bytes free - - End Of File - - 4EC9308FDD62D68B85B99CB1E96C88EF DDS (Ver_10-03-17.01) - NTFSx86 Run by NAU at 6:42:00.75 on Sat 09/11/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.291 [GMT -7:00] AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\NAU\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore mURLSearchHooks: H - No File BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - mamma FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-5-25 28552] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-8 114768] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-8 20560] S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-8 138680] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-8 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-8 352920] S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872] S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688] =============== Created Last 30 ================ 2010-09-11 13:21:56 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs 2010-09-07 17:29:10 98816 ----a-w- c:\windows\sed.exe 2010-09-07 17:29:10 77312 ----a-w- c:\windows\MBR.exe 2010-09-07 17:29:10 256512 ----a-w- c:\windows\PEV.exe 2010-09-07 17:29:10 161792 ----a-w- c:\windows\SWREG.exe 2010-08-30 20:45:15 20 ----a-w- c:\documents and settings\nau\defogger_reenable 2010-08-27 02:04:24 397 ----a-w- c:\documents and settings\nau\exe.js 2010-08-19 18:09:48 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2010-08-19 18:09:48 75264 ----a-w- c:\windows\system32\unacev2.dll 2010-08-19 18:09:48 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2010-08-19 18:09:48 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2010-08-19 18:09:47 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2010-08-19 18:09:45 0 d-----w- c:\program files\Trojan Remover 2010-08-19 18:09:45 0 d-----w- c:\docume~1\nau\applic~1\Simply Super Software 2010-08-19 18:09:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software 2010-08-13 07:06:01 0 d-----w- c:\windows\system32\wbem\Repository 2010-08-13 07:05:23 0 d-----w- c:\windows\ShellNew 2010-08-13 07:05:19 0 d-----w- c:\program files\Microsoft ActiveSync 2010-08-13 07:02:59 0 d-----w- c:\program files\Roxio 2010-08-13 06:05:00 0 d-----w- c:\program files\Roxio(2) 2010-08-13 05:46:20 61440 ----a-w- c:\windows\system32\cdrtc.dll 2010-08-13 05:46:20 45056 ----a-w- c:\windows\system32\cdral.dll 2010-08-13 04:56:41 0 d-----w- c:\windows\SHELLNEW(2) ==================== Find3M ==================== 2010-09-07 16:27:35 1744 ----a-w- c:\windows\system32\d3d9caps.dat ============= FINISH: 6:42:20.48 =============== Thanks. At your convenience!