Infection that will not remove

[txshrode]

Hello, I have an infection that never gets eliminated. I can run the check and fix, but it always comes up with them again.

Below is the log file from the most recent scan. The results show "no action taken" because I copied the log prior to restarting.

Has anyone seen this particular issue?

Thanks,

Darin

===============================================================

Malwarebytes' Anti-Malware 1.42

Database version: 3382

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/18/2009 9:01:53 AM

mbam-log-2009-12-18 (09-01-44).txt

Scan type: Full Scan (C:\|)

Objects scanned: 217334

Time elapsed: 4 hour(s), 21 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/Nick Lateur/Local Settings/Temp/pivvfjza.dat (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pivvfjza.dat (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pivvfjza.dat (Rootkit.Agent) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Nick Lateur\Local Settings\Temp\pivvfjza.dat (Rootkit.Agent) -> No action taken.

[sjpritch25]

Welcome to Malwarebytes!!!!!

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Extra Registry change it to Use SafeList.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    

[txshrode]

OTL logfile created on: 12/18/2009 10:56:19 AM - Run 1

OTL by OldTimer - Version 3.1.18.0 Folder = C:\Documents and Settings\Nick Lateur\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

494.42 Mb Total Physical Memory | 226.37 Mb Available Physical Memory | 45.79% Memory free

1.13 Gb Paging File | 0.62 Gb Available in Paging File | 55.25% Paging File free

Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 52.34 Gb Total Space | 26.10 Gb Free Space | 49.88% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NICK

Current User Name: Nick Lateur

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/18 10:54:40 | 00,564,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick Lateur\Desktop\OTL.exe

PRC - [2009/09/13 18:52:50 | 01,048,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe

PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2008/11/13 23:24:05 | 00,168,432 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

PRC - [2008/11/04 12:09:58 | 00,615,696 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

PRC - [2008/08/14 17:15:46 | 02,407,184 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe

PRC - [2008/08/14 17:11:48 | 00,565,008 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

PRC - [2008/08/14 17:11:14 | 00,447,248 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

PRC - [2008/07/26 08:25:36 | 00,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

PRC - [2008/07/26 08:23:42 | 00,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/12/11 12:10:26 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe

PRC - [2007/12/11 12:10:16 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe

PRC - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2007/06/05 13:20:32 | 00,177,704 | ---- | M] () -- C:\WINDOWS\SYSTEM32\PSIService.exe

PRC - [2006/09/07 10:05:16 | 00,102,400 | ---- | M] (GE Security Supra) -- C:\Program Files\GE Security Supra\SyncInfoApp.exe

PRC - [2006/09/07 10:05:16 | 00,053,248 | ---- | M] (GE Security Supra) -- c:\Program Files\GE Security Supra\SyncService.exe

PRC - [2006/09/07 10:05:16 | 00,011,776 | ---- | M] (GE Security Supra) -- C:\Program Files\GE Security Supra\ProxyDaemon.exe

PRC - [2005/11/16 10:34:28 | 00,073,216 | ---- | M] () -- C:\SSL\stunnel-4.10.exe

PRC - [2005/09/20 08:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\igfxpers.exe

PRC - [2005/09/20 08:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\hkcmd.exe

PRC - [2005/09/20 08:32:16 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\igfxsrvc.exe

PRC - [2005/06/24 13:38:02 | 00,077,914 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

PRC - [2005/06/24 13:36:40 | 00,729,178 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

PRC - [2004/04/11 20:15:14 | 00,290,816 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\Media Experience\PCMService.exe

PRC - [2004/03/15 01:04:00 | 00,122,933 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

PRC - [2004/01/12 06:53:30 | 00,360,448 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\ZCfgSvc.exe

PRC - [2004/01/09 10:12:08 | 00,184,320 | ---- | M] (Intel) -- C:\WINDOWS\SYSTEM32\1XConfig.exe

PRC - [2004/01/09 10:11:36 | 00,303,171 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\SYSTEM32\S24EvMon.exe

PRC - [2004/01/09 10:10:00 | 00,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\RegSrvc.exe

PRC - [2003/12/13 15:28:04 | 00,630,915 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

PRC - [2003/12/05 09:58:36 | 00,314,424 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe

PRC - [2003/09/23 00:20:02 | 00,049,152 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe

PRC - [2003/09/23 00:01:40 | 00,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe

PRC - [2003/09/22 23:42:00 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\SYSTEM32\LEXBCES.EXE

PRC - [2003/09/22 23:37:18 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\SYSTEM32\LEXPPS.EXE

PRC - [2003/06/08 17:48:18 | 00,016,432 | ---- | M] () -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

PRC - [2003/02/04 08:22:30 | 00,181,312 | ---- | M] () -- C:\WINDOWS\SYSTEM32\ScsiAccess.EXE

========== Modules (SafeList) ==========

MOD - [2009/12/18 10:54:40 | 00,564,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick Lateur\Desktop\OTL.exe

MOD - [2008/07/26 08:25:24 | 00,109,080 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll

MOD - [2002/03/13 07:57:24 | 00,024,576 | ---- | M] (BackWeb) -- C:\Documents and Settings\Nick Lateur\Local Settings\TempIadHide3.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (MCVSRte)

SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2008/11/13 23:24:05 | 00,168,432 | ---- | M] (Google) [Auto | Running] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)

SRV - [2008/07/26 08:25:36 | 00,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)

SRV - [2008/07/26 08:23:42 | 00,186,904 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)

SRV - [2007/12/11 12:10:16 | 00,504,104 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2007/06/05 13:20:32 | 00,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\PSIService.exe -- (ProtexisLicensing)

SRV - [2007/03/07 14:47:46 | 00,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

SRV - [2006/09/07 10:05:16 | 00,053,248 | ---- | M] (GE Security Supra) [Auto | Running] -- c:\Program Files\GE Security Supra\SyncService.exe -- (DkeySync)

SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)

SRV - [2004/01/09 10:11:36 | 00,303,171 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\SYSTEM32\S24EvMon.exe -- (S24EventMonitor)

SRV - [2004/01/09 10:10:00 | 00,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\RegSrvc.exe -- (RegSrvc)

SRV - [2003/12/05 09:58:36 | 00,314,424 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe -- (KodakCCS)

SRV - [2003/09/22 23:42:00 | 00,303,104 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\LEXBCES.EXE -- (LexBceS)

SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

SRV - [2003/04/29 14:29:54 | 00,139,264 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

SRV - [2003/02/04 08:22:30 | 00,181,312 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\ScsiAccess.EXE -- (ScsiAccess)

========== Driver Services (SafeList) ==========

DRV - [2009/12/17 13:21:21 | 00,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)

DRV - [2009/06/18 18:48:04 | 00,142,832 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys -- (MpFilter)

DRV - [2009/05/11 09:12:24 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)

DRV - [2009/03/30 09:33:07 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)

DRV - [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)

DRV - [2008/07/26 09:26:56 | 00,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvcflt.sys -- (FilterService)

DRV - [2008/07/26 09:26:44 | 04,658,584 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech QuickCam S5500(UVC)

DRV - [2008/07/26 09:26:22 | 00,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)

DRV - [2008/07/26 09:25:48 | 00,627,864 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvrs.sys -- (LVRS)

DRV - [2008/07/26 08:25:02 | 00,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)

DRV - [2008/05/20 19:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\RimUsb.sys -- (RimUsb)

DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv)

DRV - [2007/10/31 14:09:14 | 00,030,464 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaapl.sys -- (USBAAPL)

DRV - [2007/02/25 11:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)

DRV - [2007/01/18 10:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys -- (RimVSerPort)

DRV - [2007/01/18 10:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys -- (RimSerPort)

DRV - [2006/10/05 15:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV - [2006/09/07 10:00:18 | 00,089,808 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\slabser.sys -- (slabser)

DRV - [2006/09/07 10:00:18 | 00,055,312 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\slabbus.sys -- (slabbus) DisplayKEY USB Cradle driver (WDM)

DRV - [2005/09/20 09:00:54 | 01,302,332 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmnt5.sys -- (ialm)

DRV - [2005/06/24 13:19:52 | 00,190,560 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SynTP.sys -- (SynTP)

DRV - [2005/04/08 22:45:40 | 00,020,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)

DRV - [2004/11/18 00:55:33 | 00,014,037 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)

DRV - [2004/08/04 05:00:00 | 00,023,424 | ---- | M] (MCCI) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\czryfxbg.sys -- (czryfxbg)

DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink)

DRV - [2004/08/04 05:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ROOTMDM.SYS -- (ROOTMODEM)

DRV - [2004/08/03 22:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS -- (nv)

DRV - [2004/04/23 09:59:44 | 00,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)

DRV - [2004/03/18 12:01:24 | 00,066,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tifm.sys -- (tifm)

DRV - [2004/03/15 01:04:00 | 00,100,597 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)

DRV - [2004/03/15 01:04:00 | 00,098,580 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)

DRV - [2004/03/15 01:04:00 | 00,085,972 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)

DRV - [2004/03/15 01:04:00 | 00,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)

DRV - [2004/03/15 01:04:00 | 00,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)

DRV - [2004/03/15 01:04:00 | 00,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)

DRV - [2004/03/15 01:04:00 | 00,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)

DRV - [2004/03/15 01:04:00 | 00,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)

DRV - [2004/03/15 01:04:00 | 00,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)

DRV - [2004/02/27 02:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)

DRV - [2004/02/13 10:46:00 | 00,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)

DRV - [2004/02/13 03:21:00 | 00,086,160 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)

DRV - [2004/01/19 17:28:48 | 00,256,688 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\stac97.sys -- (STAC97) Audio Driver (WDM)

DRV - [2004/01/14 19:18:16 | 00,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)

DRV - [2004/01/14 19:18:04 | 00,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)

DRV - [2004/01/13 02:41:46 | 02,482,176 | ---- | M] (Intel

[txshrode]

OTL Extras logfile created on: 12/18/2009 10:56:19 AM - Run 1

OTL by OldTimer - Version 3.1.18.0 Folder = C:\Documents and Settings\Nick Lateur\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

494.42 Mb Total Physical Memory | 226.37 Mb Available Physical Memory | 45.79% Memory free

1.13 Gb Paging File | 0.62 Gb Available in Paging File | 55.25% Paging File free

Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 52.34 Gb Total Space | 26.10 Gb Free Space | 49.88% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NICK

Current User Name: Nick Lateur

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe:*:Enabled:backWeb-7288971 -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium

"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}" = aspi

"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004

"{06B8DAD8-2809-475E-BA9D-C34479A0D58A}" = Dell TrueMobile 2300 Control Utility

"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager

"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement

"{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}" = VCAMCEN

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD

"{154508C0-07C5-4659-A7A0-E49968750D21}" = HLPPDOCK

"{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}" = iTunes

"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD

"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype

[sjpritch25]

Your lockup is probably do to running MSE and Avira. Please uninstall one of them, let me know if your still having issues. Thanks

[txshrode]

Hello,

I uninstalled both MSE and Avira, restarted then re-ran MB with the same result.

[txshrode]

When I say I re-ran MB, I mean I ran it, repaired, restarted and re-ran it again, with the same results.

[sjpritch25]

Well, i didn't tell you to uninstall both just one.

Can you post the most recent mbam log. Thanks

[txshrode]

Sorry ... didn't know which to uninstall, so I figured both would be OK.

Here's the newest log ...

Malwarebytes' Anti-Malware 1.42

Database version: 3386

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/21/2009 9:07:49 AM

mbam-log-2009-12-21 (09-07-46).txt

Scan type: Quick Scan

Objects scanned: 108011

Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/Nick Lateur/Local Settings/Temp/pivvfjza.dat (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pivvfjza.dat (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pivvfjza.dat (Rootkit.Agent) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Nick Lateur\Local Settings\Temp\pivvfjza.dat (Rootkit.Agent) -> No action taken.

[sjpritch25]

did you remove those items mbam detected?

How is everything running?

[txshrode]

I removed them, restarted and re-ran MB ... no change. Here's the newest log as of a couple of minutes ago.

Malwarebytes' Anti-Malware 1.42

Database version: 3403

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/21/2009 10:43:53 AM

mbam-log-2009-12-21 (10-43-53).txt

Scan type: Quick Scan

Objects scanned: 108056

Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/Nick Lateur/Local Settings/Temp/pivvfjza.dat (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pivvfjza.dat (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pivvfjza.dat (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Nick Lateur\Local Settings\Temp\pivvfjza.dat (Rootkit.Agent) -> Delete on reboot.

[sjpritch25]

Okay.

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

[txshrode]

[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Do I need to install HijackThis as well then?

[txshrode]

ComboFix 09-12-20.08 - Nick Lateur 12/21/2009 11:57:07.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.494.262 [GMT -6:00]

Running from: c:\documents and settings\Nick Lateur\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\bat.dll

c:\windows\system32\drivers\czryfxbg.sys

c:\windows\system32\drivers\yaftastv.sys

c:\windows\system32\tmp.reg

c:\windows\TEMP\logishrd\LVPrcInj01.dll

C:\xcrashdump.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CZRYFXBG

-------\Service_czryfxbg

((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))

.

2009-12-18 22:07 . 2009-12-18 22:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2009-12-18 22:03 . 2009-12-18 22:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-12-17 17:06 . 2009-12-17 17:06 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-12-16 20:57 . 2009-12-16 20:57 -------- d-----w- c:\program files\FileASSASSIN

2009-12-16 16:25 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-16 16:25 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-16 15:11 . 2009-12-16 15:11 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-12-16 15:00 . 2009-12-16 15:10 -------- d-----w- c:\windows\ie8updates

2009-12-16 13:35 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-12-16 13:35 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-12-16 13:25 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-12-15 22:30 . 2009-12-15 22:30 -------- d-sh--w- c:\documents and settings\Nick Lateur\PrivacIE

2009-12-15 22:22 . 2009-12-15 22:22 -------- d-sh--w- c:\documents and settings\Nick Lateur\IETldCache

2009-12-15 22:14 . 2009-12-15 22:19 -------- dc-h--w- c:\windows\ie8

2009-12-15 18:18 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-12-15 17:30 . 2009-12-15 17:30 -------- d-----w- c:\documents and settings\Nick Lateur\Application Data\MSNInstaller

2009-12-15 17:15 . 2009-12-15 17:15 -------- d-----w- c:\windows\system32\scripting

2009-12-15 17:15 . 2009-12-15 17:15 -------- d-----w- c:\windows\l2schemas

2009-12-15 17:15 . 2009-12-15 17:15 -------- d-----w- c:\windows\system32\en

2009-12-15 17:15 . 2009-12-15 17:15 -------- d-----w- c:\windows\system32\bits

2009-12-15 17:03 . 2009-12-15 17:03 -------- d-----w- c:\documents and settings\Nick Lateur\Application Data\Uniblue

2009-12-15 17:03 . 2009-12-15 17:03 -------- d-----w- c:\program files\Uniblue

2009-12-15 17:00 . 2009-12-15 17:00 -------- d-----w- c:\windows\EHome

2009-12-14 21:08 . 2009-12-17 19:21 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-14 17:44 . 2009-12-14 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-12-14 17:44 . 2009-12-16 15:39 -------- d-----w- c:\documents and settings\Nick Lateur\Application Data\SUPERAntiSpyware.com

2009-12-14 17:44 . 2009-12-16 15:37 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-12-14 17:41 . 2009-12-16 16:26 -------- d-----w- c:\documents and settings\Nick Lateur\Application Data\Malwarebytes

2009-12-14 17:06 . 2009-12-16 16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-14 17:06 . 2009-12-16 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-14 16:31 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2009-12-13 17:04 . 2009-12-15 16:06 -------- d-----w- c:\documents and settings\Nick Lateur\Local Settings\Application Data\lcomgi

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-19 23:05 . 2007-02-03 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-12-18 22:02 . 2007-02-03 03:07 -------- d-----w- c:\program files\Google

2009-12-16 15:50 . 2009-01-16 02:28 -------- d-----w- c:\documents and settings\Nick Lateur\Application Data\Skype

2009-12-15 17:59 . 2004-11-30 20:31 82160 ----a-w- c:\documents and settings\Nick Lateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-15 17:50 . 2004-11-18 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-12-15 17:31 . 2004-11-18 06:53 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-15 17:30 . 2007-02-09 04:25 -------- d--h--w- c:\documents and settings\Nick Lateur\Application Data\Move Networks

2009-12-15 17:29 . 2004-11-18 06:55 -------- d-----w- c:\program files\Digital Line Detect

2009-12-15 17:19 . 2004-08-10 19:13 78471 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat

2009-12-14 18:28 . 2004-11-18 06:57 -------- d-----w- c:\program files\Common Files\Real

2009-12-14 18:27 . 2004-11-18 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-12-04 16:03 . 2009-12-04 16:03 251376 ----a-w- c:\documents and settings\Nick Lateur\Application Data\Mozilla\plugins\npgoogletalk.dll

2009-12-04 10:02 . 2006-08-24 01:47 -------- d-----w- c:\program files\ZipForm Desktop

2009-10-29 07:45 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-04 11:00 79872 ----a-w- c:\windows\system32\raschap.dll

2008-09-22 16:26 . 2008-02-05 04:56 88 --sh--r- c:\windows\SYSTEM32\3EBCC1BFB1.sys

2008-09-22 16:26 . 2008-02-05 04:37 2828 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-24 77914]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-15 110592]

DisplayKEY eSYNC Info.lnk - c:\program files\GE Security Supra\SyncInfoApp.exe [2007-3-21 102400]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-12-13 630915]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-12 12:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 4:02 PM 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CZRYFXBG

*Deregistered* - czryfxbg

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = localhost

uInternet Settings,ProxyServer = http=127.0.0.1:5555

Trusted Zone: topproducer8i.com\www

TCP: {AD9A7C38-F039-4EB8-8AED-EF1BE35344B7} = 68.94.156.1,68.94.157.1

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

FF - ProfilePath - c:\documents and settings\Nick Lateur\Application Data\Mozilla\Firefox\Profiles\djd9w4yl.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\documents and settings\Nick Lateur\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Nick Lateur\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)

AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-21 12:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"NoChange"="1"

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)

c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(7016)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\S24EvMon.exe

c:\windows\system32\ZCfgSvc.exe

c:\windows\system32\1XConfig.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\ge security supra\syncservice.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\windows\system32\drivers\KodakCCS.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\GE Security Supra\ProxyDaemon.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\ssl\stunnel-4.10.exe

c:\windows\system32\PSIService.exe

c:\windows\system32\RegSrvc.exe

c:\windows\system32\ScsiAccess.EXE

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\wscntfy.exe

c:\program files\Lexmark X6100 Series\lxbfbmon.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2009-12-21 12:21:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-21 18:20

Pre-Run: 28,035,444,736 bytes free

Post-Run: 28,482,027,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5E37B286434F90DD488E4B3F75227419

[sjpritch25]

Please update malwarebytes, run another quick scan and post the results. No need to install Hijackthis for now.

[txshrode]

just did that and it came up clean with a quick scan ... performing a full scan right now to be sure.

Hopefully this is it.

[sjpritch25]

no need to do a full system scan though. I would like to grab those files that combofix removed though. please post this log

C:\Qoobox\ComboFix-quarantined-files.txt

[txshrode]

Here's the log ... and thanks again!

2009-12-21 18:19:32 . 2009-12-21 18:19:32 1,456 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Flash Player ActiveX.reg.dat

2009-12-21 18:19:20 . 2009-12-21 18:19:20 256 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CTFMON.reg.dat

2009-12-21 18:09:47 . 2009-12-21 18:09:47 53,955 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Temp\logishrd\_LVPrcInj01_.dll.zip

2009-12-21 18:06:01 . 2009-12-21 18:06:01 18,850 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_yaftastv_.sys.zip

2009-12-21 18:05:59 . 2009-12-21 18:05:59 11,438 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_czryfxbg_.sys.zip

2009-12-21 18:05:11 . 2009-12-21 18:05:11 106,066 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_czryfxbg.reg.dat

2009-12-21 18:05:11 . 2009-12-21 18:05:11 1,276 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_CZRYFXBG.reg.dat

2009-12-21 18:04:47 . 2009-12-21 18:04:47 10,080 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-12-21 17:51:17 . 2009-12-21 18:09:48 601 ----a-w- C:\Qoobox\Quarantine\catchme.log

2009-12-21 16:47:28 . 2008-07-26 14:25:24 109,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Temp\logishrd\LVPrcInj01.dll.vir

2009-12-14 17:30:44 . 2009-12-14 18:30:06 5,784 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp.reg.vir

2009-04-12 19:30:35 . 2009-04-12 19:30:35 55 ----a-w- C:\Qoobox\Quarantine\C\xcrashdump.dat.vir

2004-08-04 11:00:00 . 2004-08-04 11:00:00 23,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\czryfxbg.sys.vir

2004-08-04 11:00:00 . 2004-08-04 11:00:00 23,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\yaftastv.sys.vir

[txshrode]

For moving forward, what programs do you recommend installing for anti-spyware/anti-virus.

Up to this point I've used Avira and SAS mostly. Thanks again.

[sjpritch25]

Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
"C:\Qoobox\Quarantine\Registry_backups\Service_czryfxbg.reg.dat"
"C:\Qoobox\Quarantine\Registry_backups\Legacy_CZRYFXBG.reg.dat"
"C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp.reg.vir"
"C:\Qoobox\Quarantine\C\xcrashdump.dat.vir"
"C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\czryfxbg.sys.vir"
"C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\yaftastv.sys.vir"
"C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_czryfxbg_.sys.zip"
"C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_yaftastv_.sys.zip"	
) do zip Files_for_submission %%g
del %0

Save this as grab.bat

Choose to "Save type as - All Files"

Save it on your desktop.

It should look like this:

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.

Please upload that file here --> http://www.bleepingcomputer.com/submit-mal....php?channel=70

[sjpritch25]

Comparing SAS and mbam. Mbam has ip blocking which is a great feature with the protection module.

[txshrode]

The file has been submitted.

[sjpritch25]

Go to Start ---> Run ---> Type ComboFix /u and press Enter. That will remove ComboFix and create a new restore point.

How is everything running?

[txshrode]

I tried the ComboFix /u and it just re-runs the scan and report. It doesn't seem to uninstall it. Should that Qoobox directory be removed?

[sjpritch25]

make sure there is space between ComboFix and /u. Otherwise, this one shall work too. ComboFix /uninstall