My Anti Spyware

[tomvilfroy]

Okay, here is the result of that notepad batch file. Am curious what the sys file does, if you don't mind, since
I am naturally curious.

Here is the contents of the file.txt :

Volume in drive C has no label.
Volume Serial Number is 2492-8096

[patrik]

jamr.sys

I have found name of the file in the GMER log. But no any information about it on the Internet, and as you can see, it file don`t exist at your drive.

Download AVZ Antiviral Toolkit from here or here.
Unzip it to a folder that you create such as C:\AVZ\.
Double-click avz.exe to run the program.
Click File -> Database Update. Click Start.
When the update is finished click OK.
Click File -> Starndart scripts.
Mark the Advanced System Analysis check box.
Click on the Execute selected scripts button.
Click YES for confirm.
A system check will be executed.
When the scan is finished, a logfile will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Click OK and click CLOSE.
Close AVZ.

Attach virusinfo_syscheck.zip in your reply.

[tomvilfroy]

Patrick, I think you ment to say save the log file as *.txt, not *.zip, right??

Here it is :

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 4/29/2009 7:04:31 PM
Database loaded: signatures - 221074, NN profile(s) - 2, microprograms of healing - 56, signature database released 29.04.2009 22:25
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 110011
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07C020)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 80553020
KiST = 80501B9C (284)
Function NtCreateFile (25) - machine code modification Method of JmpTo. jmp F39FB9AE\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtCreateKey (29) - machine code modification Method of JmpTo. jmp F39FBA45\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtCreateProcess (2F) - machine code modification Method of JmpTo. jmp F39FB95C\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtCreateProcessEx (30) - machine code modification Method of JmpTo. jmp F39FB970\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtDeleteKey (3F) - machine code modification Method of JmpTo. jmp F39FBA59\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtDeleteValueKey (41) - machine code modification Method of JmpTo. jmp F39FBA85\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp F39FBAF3\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) - machine code modification Method of JmpTo. jmp F39FBADD\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtMapViewOfSection (6C) - machine code modification Method of JmpTo. jmp F39FB9EE\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) - machine code modification Method of JmpTo. jmp F39FBB1F\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenKey (77) - machine code modification Method of JmpTo. jmp F39FBA31\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenProcess (7A) - machine code modification Method of JmpTo. jmp F39FB934\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenThread (80) - machine code modification Method of JmpTo. jmp F39FB948\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtProtectVirtualMemory (89) - machine code modification Method of JmpTo. jmp F39FB9C2\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtQueryKey (A0) - machine code modification Method of JmpTo. jmp F39FBB5B\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) - machine code modification Method of JmpTo. jmp F39FBAC7\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp F39FBAB1\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtRenameKey (C0) - machine code modification Method of JmpTo. jmp F39FBA6F\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtReplaceKey (C1) - machine code modification Method of JmpTo. jmp F39FBB47\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtRestoreKey (CC) - machine code modification Method of JmpTo. jmp F39FBB33\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtSetContextThread (D5) - machine code modification Method of JmpTo. jmp F39FB99A\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtSetInformationProcess (E4) - machine code modification Method of JmpTo. jmp F39FB986\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtSetValueKey (F7) - machine code modification Method of JmpTo. jmp F39FBA9B\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtTerminateProcess (101) - machine code modification Method of JmpTo. jmp F39FBA1D\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtUnloadKey (107) - machine code modification Method of JmpTo. jmp F39FBB09\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtUnmapViewOfSection (10B) - machine code modification Method of JmpTo. jmp F39FBA04\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtYieldExecution (116) - machine code modification Method of JmpTo. jmp F39FB9D8\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtCreateFile (8056E2FC) - machine code modification Method of JmpTo. jmp F39FB9AE \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtMapViewOfSection (805A7500) - machine code modification Method of JmpTo. jmp F39FB9EE \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenProcess (805C1322) - machine code modification Method of JmpTo. jmp F39FB934 \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenThread (805C15AE) - machine code modification Method of JmpTo. jmp F39FB948 \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtSetInformationProcess (805C3DE0) - machine code modification Method of JmpTo. jmp F39FB986 \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 52
Analyzer: process under analysis is 1616 C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1796 C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
[ES]:Contains network functionality
[ES]:Listens on HTTP ports !
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1808 C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
[ES]:Contains network functionality
[ES]:Listens on HTTP ports !
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1844 C:\program files\ncsoft\launcher\NCLauncher.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1932 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1948 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 228 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 2160 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
[ES]:Application has no visible windows
Analyzer: process under analysis is 3280 C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 3660 C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 1256 C:\Program Files\Mozilla Firefox\firefox.exe
[ES]:Contains network functionality
[ES]:Listens on HTTP ports !
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 553
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\NetRatingsNetSight\NetSight\meter4\nphooks.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\NetRatingsNetSight\NetSight\meter4\nphooks.dll>>> Behavioural analysis
1. Reacts to events: keyboard, mouse, all events
C:\Program Files\NetRatingsNetSight\NetSight\meter4\nphooks.dll>>> Neural net: file with probability 99.09% like a typical keyboard/mouse events interceptor
C:\Program Files\NetRatingsNetSight\NetSight\meter4\nscore.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\NetRatingsNetSight\NetSight\meter4\nscore.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\Program Files\NetRatingsNetSight\NetSight\meter4\communication.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\NetRatingsNetSight\NetSight\meter4\communication.dll>>> Behavioural analysis
1. Reacts to events: keyboard, mouse
C:\Program Files\NetRatingsNetSight\NetSight\meter4\communication.dll>>> Neural net: file with probability 99.42% like a typical keyboard/mouse events interceptor
C:\Program Files\NetRatingsNetSight\NetSight\nsmmc.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\NetRatingsNetSight\NetSight\nsmmc.dll>>> Behavioural analysis
1. Reacts to events: keyboard, mouse
C:\Program Files\NetRatingsNetSight\NetSight\nsmmc.dll>>> Neural net: file with probability 99.63% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 605, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 4/29/2009 7:06:37 PM
Time of scanning: 00:02:09
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete

[patrik]

When the scan is finished, a logfile will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

virusinfo_syscheck.zip you can found in the LOG folder in the AVZ folder.

Please attach it in your reply.

[tomvilfroy]

here it is...

[patrik]

Click here for open VirusTotal website.
On top you'll find 'Browse'
Click the browse button and browse to next file:

Code: Select all

c:\windows\system32\drivers\PCIDump.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

[tomvilfroy]

Patrik

Unable to find that file
c:\windows\system32\drivers\PCIDump.sys

I see a pci.sys file but no pcidump.sys file. Even entered that file name as above in the dialog box and got a could not
find file message.

Thomas

[tomvilfroy]

Finally got to d/l combofix - so here is the combo fix log :

ComboFix 09-05-02.4 - Owner 05/02/2009 9:37.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.637 [GMT -6:00]
Running from: c:\download\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-30 01:02 . 2009-04-30 01:02 -------- d-----w C:\avz
2009-04-27 14:09 . 2009-04-27 14:09 -------- d-----w C:\gmer
2009-04-18 01:31 . 2009-04-18 01:31 -------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2009-04-18 01:28 . 2009-04-18 01:28 -------- d-----w c:\program files\PopCap Games
2009-04-16 19:01 . 2008-08-22 20:37 8832 ----a-w c:\windows\system32\drivers\km_filter.sys
2009-04-16 16:28 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 16:28 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 16:28 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 16:28 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 16:28 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 16:28 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 16:28 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 16:28 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 16:28 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 16:28 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 16:21 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 17:27 . 2009-04-07 17:27 -------- d-----w c:\documents and settings\Owner\Application Data\Days of Wonder, Inc
2009-04-07 17:27 . 2009-04-07 17:27 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Days of Wonder, Inc
2009-04-07 17:13 . 2009-04-07 17:28 -------- d-----w c:\program files\Memoir 44 Editor
2009-04-06 18:49 . 2008-08-22 20:37 14336 ----a-w c:\windows\system32\drivers\nnrnstdi.sys
2009-04-06 18:43 . 2008-10-31 19:25 53248 ----a-w c:\windows\nswatchdog.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 15:36 . 2006-05-07 00:41 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 15:00 . 2008-12-21 16:31 314 ----a-w c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2009-05-02 12:13 . 2008-12-21 16:30 334 ----a-w c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2009-05-01 07:03 . 2008-07-19 05:28 332 ----a-w c:\windows\Tasks\McQcTask.job
2009-04-30 19:50 . 2007-07-17 08:15 -------- d-----w c:\program files\TicketToRide
2009-04-29 17:08 . 2008-11-21 13:52 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-17 02:38 . 2008-07-19 05:28 -------- d-----w c:\program files\McAfee
2009-04-15 07:26 . 2008-07-19 05:28 340 ----a-w c:\windows\Tasks\McDefragTask.job
2009-04-01 13:56 . 2006-09-26 18:28 -------- d-----w c:\program files\Java
2009-03-27 14:58 . 2009-03-27 14:57 -------- d-----w c:\program files\VASSAL
2009-03-21 14:31 . 2008-12-17 04:58 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-19 16:33 . 2009-03-19 16:33 -------- d-----w c:\program files\Ancestry
2009-03-19 16:32 . 2009-03-19 16:32 -------- d-----w c:\program files\Microsoft WSE
2009-03-19 16:24 . 2009-03-19 16:18 -------- d-----w c:\program files\SudokuSolver
2009-03-18 19:00 . 2009-03-10 15:12 -------- d-----w c:\program files\RealArcade
2009-03-16 14:22 . 2007-03-24 05:31 35928 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 14:21 . 2008-11-26 05:08 -------- d-----w c:\program files\Windows Live
2009-03-16 14:15 . 2009-03-16 14:15 -------- d-----w c:\program files\Microsoft
2009-03-16 14:14 . 2009-03-16 14:14 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-16 14:09 . 2009-03-16 14:09 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-10 04:16 . 2008-02-10 19:44 -------- d-----w c:\program files\Coupons
2009-03-09 11:19 . 2008-12-15 17:33 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-05-07 00:24 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-05-07 00:24 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-05-07 00:24 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-05-07 00:24 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-05-07 00:24 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-05-07 00:24 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-05-07 00:24 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-05-07 00:24 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2006-05-07 00:24 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-05-07 00:24 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-05-07 00:24 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2006-05-07 00:24 56832 ----a-w c:\windows\system32\secur32.dll
2007-10-22 21:54 . 2007-10-22 21:56 774144 ----a-w c:\program files\RngInterstitial.dll
2007-08-22 07:50 . 2007-09-12 22:28 118784 ----a-w c:\program files\mozilla firefox\components\nmgkff20.dll
2008-08-22 20:37 . 2009-04-16 19:01 163840 ----a-w c:\program files\mozilla firefox\components\nsgkff30_meter4.dll
2008-02-05 20:03 . 2008-02-05 19:08 80 --sh--r c:\windows\system32\1FCF4B34EC.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PlayNC Launcher"="c:\program files\ncsoft\launcher\NCLauncher.exe" [2009-04-16 38136]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"MegaPanel"="c:\program files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 2064384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-01-29 210208]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2008-10-31 45056]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp officejet 4100 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2007-11-16 151552]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2001-08-18 69692]
S1 nnrnstdi;nnrnstdi; [x]
S3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2008-08-22 8832]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78f1cde1-4d8a-11db-9115-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2007-07-06 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 4100 series272A572217594EBCF1CEE215E352B92AD073FDE4175808469.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 23:56]

2006-11-23 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-05-07 00:12]

2006-11-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-05-07 00:12]

2006-11-23 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-05-07 00:12]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-19 19:32]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-19 19:32]

2009-05-02 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-12-17 22:31]

2009-05-02 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-12-21 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html ... TP&M=T3524
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\norxnpf1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\nsgkff30_meter4.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\norxnpf1.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 09:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-108726880-3178591953-4143022154-1003\Software\SecuROM\License information*]
"datasecu"=hex:3a,20,ab,3c,f8,d1,bc,f5,ba,ae,ea,23,c9,55,49,4e,9e,d9,72,92,84,
08,03,0f,ca,44,d3,2a,70,d1,76,cb,e1,b3,d0,7f,0c,c1,2f,d9,d6,ef,ee,13,a1,80,\
"rkeysecu"=hex:d9,03,e4,16,31,3f,a7,ab,17,da,31,3c,19,f8,a4,b1
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2700)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-02 9:46
ComboFix-quarantined-files.txt 2009-05-02 15:45
ComboFix2.txt 2009-01-02 20:38

Pre-Run: 95,091,679,232 bytes free
Post-Run: 95,273,803,776 bytes free

218 --- E O F --- 2009-04-29 03:23

[patrik]

Log looks ok.
How is your computer working now ?

[tomvilfroy]

Still very sluggish - probably even more so - takes forever to even load a web page like yours and then have to click on the tab/browser to open - i.e "closes" down to the other open browser and have to click on the
tab at the bottom to open it again.

Like I mentioned before that one web scanner did report some items on the summary but alas could never get it to run to completion to see what those items are.

Thomas

[patrik]

Read the article: How to use Kaspersky virus removal tool.
1. Download Kaspersky Virus Removal Tool to your desktop.
2. Close all other applications and double-click and run the installer.
3. When tool starts, select all the items except for CD-ROM and Floppy drives.
4. Click the Scan button. If malware is detected, don't remove anything.
5. After the scan finishes, don't neutralize anything.
6. In the Scan window click the Reports button and select Save to file.
7. Name the report AVPT.txt, and save it to the Desktop.
8. Close AVPTool. You will be prompted if you want to uninstall the program; click Yes. You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.

Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

[tomvilfroy]

Patrik, here is that file like you requested. Sorry for deleting the 3 files in download directory but I wasn't fully awake this morning and though that was McAvee indicating that
(even though I had it disabled at the time!)..no biggie on losing those 3 files. Just seems this computer is getting more and more slower - taking forever to even type a message like this
(total time to post this message was 10+ minutes!)

Thomas

-------

Scan
----
Scanned: 813598
Detected: 7
Untreated: 4
Start time: 5/7/2009 12:30:53 AM
Duration: 08:07:31
Finish time: 5/7/2009 8:38:24 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.Win32.TDSS.aaau File: C:\download\FlashPlayer.v9.012.exe//stream//data0001
deleted: Trojan program Trojan-Downloader.Win32.VB.hcz File: C:\download\1 CD write\Ebay\Ebay BidBlocker.exe
deleted: virus Email-Worm.Win32.Avron.b File: C:\download\a VIP Profit zone software\Interactive Site Creator Software\vip_interactive_website_creator.zip/newadmin/emailall.php
detected: adware not-a-virus:AdWare.Win32.BHO.gkp File: C:\WINDOWS\CouponPrinter.ocx
detected: adware not-a-virus:AdWare.Win32.SearchIt.t File: D:\i386\Apps\App17981\comps\toolbar\toolbr.exe//WiseSFXDropper//WISE0015.BIN
detected: adware not-a-virus:AdWare.Win32.SearchIt.t File: D:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP33\A0004837.exe//WiseSFXDropper//WISE0015.BIN
detected: adware not-a-virus:AdWare.Win32.SearchIt.t File: D:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP33\A0004837.exe//WiseSFXDropper

[patrik]

Download AVZ Antiviral Toolkit from here or here.
Unzip it to a folder that you create such as C:\AVZ\.
Double-click avz.exe to run the program.
Click File -> Database Update. Click Start.
When the update is finished click OK.
Click AVZM->Install extended monitoring driver.
Reboot your computer.

Run AVZ.
Click File -> Starndart scripts.
Mark the Advanced System Analysis check box.
Click on the Execute selected scripts button.
Click YES for confirm.
A system check will be executed.
When the scan is finished, a logfile will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Click OK and click CLOSE.
Close AVZ.

Attach virusinfo_syscheck.zip in your reply.

[tomvilfroy]

here is that file

[patrik]

Log looks ok.
You are still having a problems ?