• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 813
  • Last Modified:

BSOD attributed to znohylpprfiu3.sys, cannot find file on pc or Google!

Windows XP sp3.

I keep getting this BSOD and it's always attributed to this file : znohylpprfiu3.sys
The blue screen reports code 0x00000050 or 0x00000024, however I think I saw a 0x00000047 as well but maybe not.
Microsoft report that sometimes the 0x00000050 stop error is caused by a virus and give instructions for removal. I do not have those registry entries though.
http://support.microsoft.com/kb/903251

The blue screen always blames that file as do the memory dumps (unless I'm being dumb, if so please feel to correct me)

I cannot find that file on the pc or on Google.

The BSOD occurs a couple of minutes after the windows login screen appears, whether you actually log in or not. You can log in in safe mode, but BSOD appeared a couple of times when I tried to update the following two drivers:

PCI to USB open host controller
CPU to AGP controller

I did manage to get them to install in the end (perserverance not skill). I have updated all the drivers and would also do the windows updates but I keep getting an error : [Error number: 0x8007043C]
Tried deleting all the temporary internet files and cookies but it didn't help.
I have manually replaced usbhub.sys and usbd.sys with ones from another machine.

There are no System Restore points previous to my attempt to fix this machine although it was turned on, and I cannot create one manually because in safe mode. There are a couple that have been created since I have playing with it - think they are from automatic windows updates judging by the name for the restore points

I am suspecting some sort of infection but the fact it was blue screening with those two drivers is seeming to contradict this theory to me.
Plus I have scanned with Malware Bytes, Comodo, Bit Defender online scanner, Norton Security Scanner, Trend Micro Housecall online scanner. Nothing significant was found
Interestingly Comodo identified 6 files as viruses (torjan.backdoor.bot, I seem to remember without checking it) and they were actually Microsoft files. I haven't deleted them for now as I don't think that the result was correct. I will copy them to another machine to rescan and double check - Comodo has been installed onto this machine to try to fix the problem, but maybe it hasn't installed correctly, I just dont know right now.
The original security was Norton 360 but I removed that (used Norton Remaoval Tool).

Anyone know what is going on here or how I might troubleshoot further? Why can't I find this file on the pc or on Google (is it a random filename generated by a virus)?

It does have a pci USB card but I have removed that and no help.

It also has a modem card and graphics card installed, I tried to take out the modem card but it didn't seem to want to come out, and as it isn't my machine I din't want to force it as it is a little old. The graphics card I have left installed for now, along with the modem, as I will be surprised if this is due to either of them.

I do not suspect memory either due to the circumstances of each blue screen. but again I'm open to suggestions.

This site wont let me attach memory dumps - I could rename to something different to circumnavigate the checking but don't want to upset anyone - only just joined.
0
WhoIsThatChild
Asked:
WhoIsThatChild
  • 16
  • 10
1 Solution
 
JonveeCommented:
Certainly looks like an infection & recommend you runCombofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Combofix works well in normal mode or safe mode, but try normal mode initially..
0
 
JonveeCommented:
No problem renaming the Minidumps, and welcome to Experts Exchange!

The dumps are normally located in c:\windows\minidump\    
or  %systemroot%\minidump\

Can you paste the latest dump(s) in the "Attach Code Snippet" box and we'll get it analysed.  You'll need to rename single minidumps first with a .txt extension.    Alternatively, zip them before attaching.

You may need to disable auto restart:
Right click My Computer > Properties > Advanced > Startup and Recovery Settings and uncheck Automatically Restart.
0
 
JonveeCommented:
Recommend we concentrate on cleaning the machine initially, we can look at the dumps later.

Even before you run ComboFix, it may be more beneficial to run run Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page and then it can be analysed.  We are looking for rootkits or other nasties.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
JonveeCommented:
Details on error "0x00000050: PAGE_FAULT_IN_NONPAGED_AREA" ..

Requested data was not in memory. An invalid system memory address was referenced. Defective memory (including main memory, L2 RAM cache, video RAM) or incompatible software (including remote control and antivirus software) might cause this Stop message, as may other hardware problems (e.g., incorrect SCSI termination or a flawed PCI card).
http://aumha.org/a/stop.htm

Although you've had (& may still have) an infection, conceivably it's a memory problem.  Therefore as soon as practicable, try to run memtest86+  v1.70 :
http://www.memtest.org/
0
 
JonveeCommented:
General:
A file with a name such as znohylpprfiu3.sys can easily be generated by Malware or perhaps a virus, and it's not unusual to be unable to locate it, & not find it on google.  Quite likely the name, or something very similar, will show up in the ComboFix logfile.

Once the PC is clean, a system restore Point can probably be generated normally.

Finally, even if the RAM later checks out ok (after running at least three passes), that's not conclusive evidence.  You could remove all but one stick if you have more than one in position, and re-test for BSOD.
0
 
WhoIsThatChildAuthor Commented:
Hi Jovnee and thanks for your speedy posts.

I have pasted the combofix and hijack logs to this as code snippet.

Seems like the renamed dumps worked - just a selection - the very first I have, the last and one form the middle.

I ran memtest86 the other week and it took 5 days and was still going (different pc).

Hopefully hear back from you soon.

I'll keep checking back
Logfile of HijackThis v1.99.1
Scan saved at 13:47:41, on 16/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\Symantec Shared\IDS\IPSBHO.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows UDP Control Center] fxstaller.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\Dan\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Corel\Corel MediaOne\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [Application Layer Browser] abgsvc.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AntiTrojanProMFCT] C:\Program Files\AntiTrojanPro\StartApp.exe
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.26&build=Symantec&a=00000082.000000e6.0000026d
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TrayMin200.exe.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm878YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d4293da50444b8ebfd09ff7c3501524
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d4293da50444b8ebfd09ff7c3501524
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
 
 
 
 
 
 
 
ComboFix:
ComboFix 09-02-15.01 - Gary 2009-02-16 13:55:35.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.358 [GMT 0:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
.
 
(((((((((((((((((((((((((   Files Created from 2009-01-16 to 2009-02-16  )))))))))))))))))))))))))))))))
.
 
2009-02-16 10:34 . 2009-02-16 10:34	3,042	--a------	c:\windows\system32\PerfStringBackup.TMP
2009-02-15 08:15 . 2009-02-15 08:15	102,664	--a------	c:\windows\system32\drivers\tmcomm.sys
2009-02-15 02:16 . 2009-02-15 08:23	<DIR>	d--------	c:\documents and settings\Gary\.housecall6.6
2009-02-15 00:14 . 2009-02-16 10:21	<DIR>	d--------	c:\program files\COMODO
2009-02-14 23:15 . 2008-12-30 11:13	13,976	--a------	c:\windows\system32\drivers\videX32.sys
2009-02-14 22:59 . 2009-01-21 15:49	118,656	--a------	c:\windows\system32\drivers\Rtnicxp.sys
2009-02-14 22:59 . 2009-01-16 22:45	73,728	--a------	c:\windows\system32\RtNicProp32.dll
2009-02-14 22:10 . 2001-08-17 13:57	16,128	--a------	c:\windows\system32\drivers\MODEMCSA.sys
2009-02-14 22:10 . 2001-08-17 13:57	16,128	--a--c---	c:\windows\system32\dllcache\modemcsa.sys
2009-02-14 21:55 . 2008-08-06 13:48	114,688	--a------	c:\windows\system32\drivers\ubohci.sys
2009-02-14 21:55 . 2008-08-06 13:52	100,352	--a------	c:\windows\system32\drivers\UB1394.sys
2009-02-14 21:55 . 2008-08-06 13:53	39,424	--a------	c:\windows\system32\drivers\UBUMAPI.sys
2009-02-14 21:55 . 2008-08-06 13:52	17,408	--a------	c:\windows\system32\drivers\UBSBM.sys
2009-02-14 20:57 . 2003-05-22 09:44	670,203	--a------	c:\windows\system32\drivers\Intels51.sys
2009-02-14 20:31 . 2006-11-20 15:34	50,432	--a------	c:\windows\system32\drivers\hcdriver.sys
2009-02-14 20:17 . 2006-10-09 12:58	203,648	--a------	c:\windows\system32\drivers\vinyl97.sys
2009-02-14 19:48 . 2009-02-16 10:24	1,374	--a------	c:\windows\imsins.BAK
2009-02-14 19:28 . 2009-02-16 10:37	0	--a------	c:\windows\system32\NvApps.xml
2009-02-14 17:49 . 2009-02-14 17:49	4,736	--a------	c:\windows\system32\drivers\usbd.sys
2009-02-14 14:48 . 2009-02-14 14:48	<DIR>	d--------	c:\program files\Innovative Solutions
2009-02-13 18:45 . 2009-02-13 18:45	<DIR>	d--------	C:\NSS
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\documents and settings\Gary\Application Data\Malwarebytes
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 14:05 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 14:05 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-13 12:05 . 2009-02-13 13:56	<DIR>	d--------	c:\windows\BDOSCAN8
2009-02-13 12:04 . 2009-02-16 10:23	<DIR>	d--------	c:\windows\LastGood
2009-02-12 16:36 . 2002-11-02 00:14	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\InterTrust
2009-02-12 16:36 . 2009-02-12 16:36	<DIR>	d--------	c:\documents and settings\Administrator
2009-02-12 15:51 . 2008-04-14 01:11	21,504	--a------	c:\windows\system32\hidserv.dll
2009-02-12 15:51 . 2008-04-14 01:11	21,504	--a--c---	c:\windows\system32\dllcache\hidserv.dll
2009-02-12 15:50 . 2008-04-13 19:39	14,592	--a------	c:\windows\system32\drivers\kbdhid.sys
2009-02-12 15:50 . 2008-04-13 19:39	14,592	--a--c---	c:\windows\system32\dllcache\kbdhid.sys
2009-02-12 15:50 . 2001-08-17 13:48	12,160	--a------	c:\windows\system32\drivers\mouhid.sys
2009-02-12 15:50 . 2001-08-17 13:48	12,160	--a--c---	c:\windows\system32\dllcache\mouhid.sys
2009-02-12 15:50 . 2008-04-13 19:45	10,368	--a------	c:\windows\system32\drivers\hidusb.sys
2009-02-12 15:50 . 2008-04-13 19:45	10,368	--a--c---	c:\windows\system32\dllcache\hidusb.sys
2009-02-05 16:44 . 2009-02-05 16:44	<DIR>	d--------	c:\documents and settings\Gary\Application Data\Symantec
2009-02-05 16:40 . 2009-02-05 16:40	<DIR>	d--------	c:\program files\Windows Sidebar
2009-02-05 16:38 . 2009-02-05 16:38	<DIR>	d--------	c:\windows\LastGood.Tmp
2009-02-05 16:32 . 2009-02-16 10:12	<DIR>	d--------	c:\program files\Common Files\Symantec Shared
2009-01-31 16:19 . 2009-01-31 16:47	<DIR>	d--------	c:\program files\NoAdware
2009-01-31 14:00 . 2009-01-31 14:00	<DIR>	d--------	c:\documents and settings\NetworkService\Application Data\Viewpoint
2009-01-30 12:26 . 2009-01-30 12:31	4,014	--a------	C:\pps.exe
2009-01-18 18:11 . 2009-01-18 18:12	<DIR>	d--------	c:\program files\iTunes
2009-01-18 18:11 . 2009-01-18 18:12	<DIR>	d--------	c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-18 18:09 . 2009-01-18 18:09	<DIR>	d--------	c:\program files\Bonjour
2009-01-18 18:05 . 2008-11-07 14:23	32,000	--a------	c:\windows\system32\drivers\usbaapl.sys
2009-01-18 18:04 . 2009-01-18 18:04	<DIR>	d--------	c:\program files\Common Files\Apple
2009-01-18 16:56 . 2009-01-18 16:56	54,156	--ah-----	c:\windows\QTFont.qfn
2009-01-18 16:56 . 2009-01-18 16:56	1,409	--a------	c:\windows\QTFont.for
2009-01-18 13:48 . 2009-01-18 13:48	<DIR>	d--------	c:\program files\Apple Software Update
2009-01-18 13:48 . 2009-01-18 13:48	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Apple
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 15:47	---------	d-----w	c:\program files\Common Files\AOL
2009-02-13 15:45	---------	d-----w	c:\documents and settings\All Users\Application Data\AOL
2009-02-13 15:44	---------	d-----w	c:\documents and settings\Gary\Application Data\AOL
2009-02-13 13:08	---------	d-----w	c:\program files\LimeWire
2009-02-12 13:40	94,208	----a-w	c:\windows\DUMP9e34.tmp
2009-02-05 16:14	---------	d-----w	c:\program files\DFX
2009-02-03 20:34	---------	d-----w	c:\program files\Spybot - Search & Destroy
2009-02-03 20:34	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-30 17:19	---------	d-----w	c:\documents and settings\All Users\Application Data\avg8
2009-01-18 18:15	---------	d-----w	c:\program files\QuickTime
2009-01-18 18:11	---------	d-----w	c:\program files\iPod
2009-01-05 21:40	---------	d-----w	c:\program files\Google
2008-12-20 23:15	826,368	----a-w	c:\windows\system32\wininet.dll
2008-12-17 20:49	---------	d-----w	c:\documents and settings\Laura\Application Data\CyberLink
2008-12-17 20:47	---------	d-----w	c:\documents and settings\Laura\Application Data\Logitech
2007-04-25 19:21	24,976	----a-w	c:\documents and settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2008-06-19 16:08	88	-csh--r	c:\windows\system32\27E02ED87B.sys
2008-09-30 14:41	4,704	-csha-w	c:\windows\system32\KGyGaAvL.sys
2008-08-29 22:53	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-23 95800]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 2048000]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-02-10 5391192]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2008-12-19 634024]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 221184]
"Corel File Shell Monitor"="c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 38400]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 72192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" [2002-09-09 c:\windows\system32\nwiz.exe]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-02-21 581632]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
TrayMin200.exe.lnk - c:\program files\Philips\SPC 200NC PC Camera\TrayMin200.exe [2007-02-11 278528]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23913:TCP"= 23913:TCP:BitComet 23913 TCP
"23913:UDP"= 23913:UDP:BitComet 23913 UDP
"1498:UDP"= 1498:UDP:Windows Media Format SDK (iexplore.exe)
"1499:UDP"= 1499:UDP:Windows Media Format SDK (iexplore.exe)
"3084:UDP"= 3084:UDP:Windows Media Format SDK (iexplore.exe)
"3085:UDP"= 3085:UDP:Windows Media Format SDK (iexplore.exe)
"57293:TCP"= 57293:TCP:System68
"46164:TCP"= 46164:TCP:System11
"37010:TCP"= 37010:TCP:System93
"18298:TCP"= 18298:TCP:System62
"54643:TCP"= 54643:TCP:System73
"13214:TCP"= 13214:TCP:System14
"5761:TCP"= 5761:TCP:System88
"22076:TCP"= 22076:TCP:System42
"54130:TCP"= 54130:TCP:System02
"8017:TCP"= 8017:TCP:System61
"44375:TCP"= 44375:TCP:System58
"42449:TCP"= 42449:TCP:System94
"58162:TCP"= 58162:TCP:System99
"45567:TCP"= 45567:TCP:System71
"20364:TCP"= 20364:TCP:System81
"54961:TCP"= 54961:TCP:System58
"27144:TCP"= 27144:TCP:System47
"54553:TCP"= 54553:TCP:System79
"19140:TCP"= 19140:TCP:System26
"62311:TCP"= 62311:TCP:System34
"39993:TCP"= 39993:TCP:System95
"56610:TCP"= 56610:TCP:System58
"53893:TCP"= 53893:TCP:System46
"40674:TCP"= 40674:TCP:System63
"54805:TCP"= 54805:TCP:System89
"49921:TCP"= 49921:TCP:System79
"41030:TCP"= 41030:TCP:System86
"9355:TCP"= 9355:TCP:System86
"64182:TCP"= 64182:TCP:System27
"50002:TCP"= 50002:TCP:System85
"16568:TCP"= 16568:TCP:System86
"34478:TCP"= 34478:TCP:System39
"63079:TCP"= 63079:TCP:System33
"47587:TCP"= 47587:TCP:System88
"5420:TCP"= 5420:TCP:System84
"25817:TCP"= 25817:TCP:System88
"29225:TCP"= 29225:TCP:System15
"43920:TCP"= 43920:TCP:System09
"45596:TCP"= 45596:TCP:System50
"46920:TCP"= 46920:TCP:System28
"63516:TCP"= 63516:TCP:System81
"34406:TCP"= 34406:TCP:System53
"62239:TCP"= 62239:TCP:System12
"57212:TCP"= 57212:TCP:System92
"20473:TCP"= 20473:TCP:System32
"11396:TCP"= 11396:TCP:System35
"8565:TCP"= 8565:TCP:System51
"17159:TCP"= 17159:TCP:System23
"49733:TCP"= 49733:TCP:System12
"27822:TCP"= 27822:TCP:System86
"4950:TCP"= 4950:TCP:System90
"6848:TCP"= 6848:TCP:System75
"12112:TCP"= 12112:TCP:System29
"22751:TCP"= 22751:TCP:System60
"59221:TCP"= 59221:TCP:System34
"25688:TCP"= 25688:TCP:System45
 
S2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2009-02-14 17408]
S2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2009-02-14 39424]
S3 hcdriver;Intel EHCI Compliance Test Tool Device Driver;c:\windows\system32\drivers\hcdriver.sys [2009-02-14 50432]
S3 PentaxUsb;PENTAX Optio 50L on USB;c:\windows\system32\drivers\CoachUsb.sys [2007-11-18 50976]
S3 PentaxVc;PENTAX Optio 50L Video Capture;c:\windows\system32\drivers\CoachVc.sys [2007-11-18 44256]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2009-02-14 114688]
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
 
2009-02-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
 
2009-01-26 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.1.30.7.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -
 
ShellIconOverlayIdentifiers-{2D7E38A6-A604-45AE-9A87-4F5F25760650} - (no file)
HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
HKCU-Run-AntiTrojanProMFCT - c:\program files\AntiTrojanPro\StartApp.exe
HKLM-Run-ImInstaller_IncrediMail - c:\docume~1\Dan\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe
HKLM-Run-Corel Photo Downloader - c:\program files\Corel\Corel MediaOne\Corel PhotoDownloader.exe
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-Application Layer Browser - abgsvc.exe
 
 
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = localhost
IE: &Search - ?p=ZCxdm878YYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d4293da50444b8ebfd09ff7c3501524
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d4293da50444b8ebfd09ff7c3501524
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 14:01:47
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\znohylpprfiu3]
"ImagePath"="system32\DRIVERS\znohylpprfiu3.sys"
.
Completion time: 2009-02-16 14:03:38
ComboFix-quarantined-files.txt  2009-02-16 14:03:36
 
Pre-Run: 1,988,980,736 bytes free
Post-Run: 5,320,876,032 bytes free
 
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
 
272	--- E O F ---	2009-01-13 19:06:47

Open in new window

Mini021209-01.dmp.txt
Mini021309-02.dmp.txt
Mini021609-04.dmp.txt
0
 
JonveeCommented:
Yes, all three minidumps indicate that znohylpprfiu3.sys is the problem>
IMAGE_NAME: znohylpprfiu3.sys
FAILURE_BUCKET_ID: 0x50_znohylpprfiu3+36a4

From the HijackThis analysis you could Fix this >
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

There may be a remanent of Norton 360 or are you running some other Norton/Symantec product?  Recommend you disable/uninstall if you are, and Fix this entry>
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.26&build=Symantec&a=00000082.000000e6.0000026d

Analysing the remainder ...
0
 
JonveeCommented:
HJT results continue ...

You can Fix these two, but they may be "regenerated" >

O4 - HKLM\..\Run: [Windows UDP Control Center] fxstaller.exe

Details on FXSTALLER.EXE:
http://www.prevx.com/filenames/X2593700059074710707-X1/FXSTALLER2EEXE.html

O8 - Extra context menu item: &Search - ?p=ZCxdm878YYGB

Entry could be ok>
O4 - HKLM\..\Run: [Application Layer Browser] abgsvc.exe
Details>
abgsvc.exe file information
http://www.file.net/process/abgsvc.exe.html

looks ok >>
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\Dan\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail

Did you run ComboFix AFTER running HijackThis?
If so, it may well have improved the situation.

It's going to take a while to analyse Combo & i have to logoff for an hour.
Will most definitely return asap.
0
 
JonveeCommented:
While you are using HijackThis you can also Fix these unnecessary, deactivated entries please>

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\Symantec Shared\IDS\IPSBHO.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
0
 
WhoIsThatChildAuthor Commented:
Hi Jonvee,

sorry for getting your name wrong. I think I did do the combo scan after the hj scan.

I noticed at the bottom of the combo scan results there is a reference to a registry key that includes that elusive filename - I manually rechecked the registry and it's not there. I didn't know that registry entries could be hidden too.

I'll remove those two entries with hjt and keep checking back.

Cheers mate

0
 
WhoIsThatChildAuthor Commented:
With regards to the norton thing I downloaded and ran the Norton Security Scanner from symantec. Then I installed comdo (norton not running as in safe mode). Thern I thought i had better unistall Norton so removed that (using norton removal tool) and then removed comdo too.

I have removed everything you said to take out with hjt and attached a new one.

Thanks
Logfile of HijackThis v1.99.1
Scan saved at 15:20:13, on 16/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\Symantec Shared\IDS\IPSBHO.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.26&build=Symantec&a=00000082.000000e6.0000026d
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TrayMin200.exe.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm878YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d4293da50444b8ebfd09ff7c3501524
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d4293da50444b8ebfd09ff7c3501524
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

Open in new window

0
 
JonveeCommented:
From HJT we still have a problem with these>

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.26&build=Symantec&a=00000082.000000e6.0000026d

O8 - Extra context menu item: &Search - ?p=ZCxdm878YYGB

Contemplating next move ..
0
 
WhoIsThatChildAuthor Commented:
Did you see the reference to "znohylpprfiu3.sys" at the end of the ComboFix log? I've never seen one of those logs before so didn't understand. Does this mean it found it in :

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\znohylpprfiu3]
"ImagePath"="system32\DRIVERS\znohylpprfiu3.sys"


because I cannot find it in system32\drivers or the registry.

I thought I deleted those hjt entries - I'll do it now and repost another log.

Then I'm gonna see what I can find out about Combofix.

Thanks
0
 
JonveeCommented:
Yes, i'm studying ComboFix log at the moment.

This entry is also lurking in your Combo log under Find3M Report >>
c:\windows\system32\KGyGaAvL.sys

Another option may be to try Pocket KillBox 2.0.0.978 Beta to remove it:
http://www.majorgeeks.com/download4709.html

Found some information on Killbox here>

http://74.125.77.132/search?q=cache:Dkl-08b8OH4J:forums.majorgeeks.com/showthread.php%3Ft%3D91848+c:%5Cwindows%5Csystem32%5CKGyGaAvL.sys&hl=en&ct=clnk&cd=1&gl=uk


You may need to enable the viewing of Hidden files, and follow the steps shown here for XP:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

Here's a guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Only a minor point, but you can update your HijackThis from version1.99.1 to 2.02 using my link above.
0
 
JonveeCommented:
>> I thought I deleted those hjt entries <<
yes you probably did, but they regenerated.

This is a puzzling entry.  It may be a genuine 'Local Page' of internet Explorer, or a nasty>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

It's conceivable that you have a VirtuMonde 'infection'.  See here>
http://www.spywareremove.com/removeVirtuMonde.html

For this the removal tool is VundoFix 7.0.6 >
http://www.softpedia.com/get/Antivirus/VundoFix.shtml

<quote>
To use VundoFix follow the instructions written below:
· Please download VundoFix.exe to your desktop.
· Double-click VundoFix.exe to run it.
· Put a check next to Run VundoFix as a task.
· You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
· When VundoFix re-opens, click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.
<unquote>

0
 
JonveeCommented:
Ok, let's try a 2nd scan with ComboFix, but this time we'll use a brief script.  Please use these exact instructions >

1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
=========================================================

File::
c:\windows\system32\KGyGaAvL.sys

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\znohylpprfiu3]
"ImagePath"="system32\DRIVERS\znohylpprfiu3.sys"]

==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, & hopefully the problem is removed.

5. Finally, please attach the newComboFix logfile.
0
 
WhoIsThatChildAuthor Commented:
OK Heres the new scan result.

I didnt notice that file mentioned this time....

Let me know what you think,

Thanks
ComboFix 09-02-15.01 - Gary 2009-02-16 21:52:53.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.367 [GMT 0:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
 
FILE ::
c:\windows\system32\KGyGaAvL.sys
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\system32\KGyGaAvL.sys
 
.
(((((((((((((((((((((((((   Files Created from 2009-01-16 to 2009-02-16  )))))))))))))))))))))))))))))))
.
 
2009-02-16 10:34 . 2009-02-16 10:34	3,042	--a------	c:\windows\system32\PerfStringBackup.TMP
2009-02-15 08:15 . 2009-02-15 08:15	102,664	--a------	c:\windows\system32\drivers\tmcomm.sys
2009-02-15 02:16 . 2009-02-15 08:23	<DIR>	d--------	c:\documents and settings\Gary\.housecall6.6
2009-02-15 00:14 . 2009-02-16 10:21	<DIR>	d--------	c:\program files\COMODO
2009-02-14 23:15 . 2008-12-30 11:13	13,976	--a------	c:\windows\system32\drivers\videX32.sys
2009-02-14 22:59 . 2009-01-21 15:49	118,656	--a------	c:\windows\system32\drivers\Rtnicxp.sys
2009-02-14 22:59 . 2009-01-16 22:45	73,728	--a------	c:\windows\system32\RtNicProp32.dll
2009-02-14 22:10 . 2001-08-17 13:57	16,128	--a------	c:\windows\system32\drivers\MODEMCSA.sys
2009-02-14 22:10 . 2001-08-17 13:57	16,128	--a--c---	c:\windows\system32\dllcache\modemcsa.sys
2009-02-14 21:55 . 2008-08-06 13:48	114,688	--a------	c:\windows\system32\drivers\ubohci.sys
2009-02-14 21:55 . 2008-08-06 13:52	100,352	--a------	c:\windows\system32\drivers\UB1394.sys
2009-02-14 21:55 . 2008-08-06 13:53	39,424	--a------	c:\windows\system32\drivers\UBUMAPI.sys
2009-02-14 21:55 . 2008-08-06 13:52	17,408	--a------	c:\windows\system32\drivers\UBSBM.sys
2009-02-14 20:57 . 2003-05-22 09:44	670,203	--a------	c:\windows\system32\drivers\Intels51.sys
2009-02-14 20:31 . 2006-11-20 15:34	50,432	--a------	c:\windows\system32\drivers\hcdriver.sys
2009-02-14 20:17 . 2006-10-09 12:58	203,648	--a------	c:\windows\system32\drivers\vinyl97.sys
2009-02-14 19:48 . 2009-02-16 10:24	1,374	--a------	c:\windows\imsins.BAK
2009-02-14 19:28 . 2009-02-16 14:52	0	--a------	c:\windows\system32\NvApps.xml
2009-02-14 17:49 . 2009-02-14 17:49	4,736	--a------	c:\windows\system32\drivers\usbd.sys
2009-02-14 14:48 . 2009-02-14 14:48	<DIR>	d--------	c:\program files\Innovative Solutions
2009-02-13 18:45 . 2009-02-13 18:45	<DIR>	d--------	C:\NSS
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\documents and settings\Gary\Application Data\Malwarebytes
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 14:05 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 14:05 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-13 12:05 . 2009-02-13 13:56	<DIR>	d--------	c:\windows\BDOSCAN8
2009-02-13 12:04 . 2009-02-16 10:23	<DIR>	d--------	c:\windows\LastGood
2009-02-12 16:36 . 2002-11-02 00:14	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\InterTrust
2009-02-12 16:36 . 2009-02-12 16:36	<DIR>	d--------	c:\documents and settings\Administrator
2009-02-12 15:51 . 2008-04-14 01:11	21,504	--a------	c:\windows\system32\hidserv.dll
2009-02-12 15:51 . 2008-04-14 01:11	21,504	--a--c---	c:\windows\system32\dllcache\hidserv.dll
2009-02-12 15:50 . 2008-04-13 19:39	14,592	--a------	c:\windows\system32\drivers\kbdhid.sys
2009-02-12 15:50 . 2008-04-13 19:39	14,592	--a--c---	c:\windows\system32\dllcache\kbdhid.sys
2009-02-12 15:50 . 2001-08-17 13:48	12,160	--a------	c:\windows\system32\drivers\mouhid.sys
2009-02-12 15:50 . 2001-08-17 13:48	12,160	--a--c---	c:\windows\system32\dllcache\mouhid.sys
2009-02-12 15:50 . 2008-04-13 19:45	10,368	--a------	c:\windows\system32\drivers\hidusb.sys
2009-02-12 15:50 . 2008-04-13 19:45	10,368	--a--c---	c:\windows\system32\dllcache\hidusb.sys
2009-02-05 16:44 . 2009-02-05 16:44	<DIR>	d--------	c:\documents and settings\Gary\Application Data\Symantec
2009-02-05 16:40 . 2009-02-05 16:40	<DIR>	d--------	c:\program files\Windows Sidebar
2009-02-05 16:38 . 2009-02-05 16:38	<DIR>	d--------	c:\windows\LastGood.Tmp
2009-02-05 16:32 . 2009-02-16 10:12	<DIR>	d--------	c:\program files\Common Files\Symantec Shared
2009-01-31 16:19 . 2009-01-31 16:47	<DIR>	d--------	c:\program files\NoAdware
2009-01-31 14:00 . 2009-01-31 14:00	<DIR>	d--------	c:\documents and settings\NetworkService\Application Data\Viewpoint
2009-01-30 12:26 . 2009-01-30 12:31	4,014	--a------	C:\pps.exe
2009-01-18 18:11 . 2009-01-18 18:12	<DIR>	d--------	c:\program files\iTunes
2009-01-18 18:11 . 2009-01-18 18:12	<DIR>	d--------	c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-18 18:09 . 2009-01-18 18:09	<DIR>	d--------	c:\program files\Bonjour
2009-01-18 18:05 . 2008-11-07 14:23	32,000	--a------	c:\windows\system32\drivers\usbaapl.sys
2009-01-18 18:04 . 2009-01-18 18:04	<DIR>	d--------	c:\program files\Common Files\Apple
2009-01-18 16:56 . 2009-01-18 16:56	54,156	--ah-----	c:\windows\QTFont.qfn
2009-01-18 16:56 . 2009-01-18 16:56	1,409	--a------	c:\windows\QTFont.for
2009-01-18 13:48 . 2009-01-18 13:48	<DIR>	d--------	c:\program files\Apple Software Update
2009-01-18 13:48 . 2009-01-18 13:48	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Apple
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 15:47	---------	d-----w	c:\program files\Common Files\AOL
2009-02-13 15:45	---------	d-----w	c:\documents and settings\All Users\Application Data\AOL
2009-02-13 15:44	---------	d-----w	c:\documents and settings\Gary\Application Data\AOL
2009-02-13 13:08	---------	d-----w	c:\program files\LimeWire
2009-02-12 13:40	94,208	----a-w	c:\windows\DUMP9e34.tmp
2009-02-05 16:14	---------	d-----w	c:\program files\DFX
2009-02-03 20:34	---------	d-----w	c:\program files\Spybot - Search & Destroy
2009-02-03 20:34	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-30 17:19	---------	d-----w	c:\documents and settings\All Users\Application Data\avg8
2009-01-18 18:15	---------	d-----w	c:\program files\QuickTime
2009-01-18 18:11	---------	d-----w	c:\program files\iPod
2009-01-05 21:40	---------	d-----w	c:\program files\Google
2008-12-20 23:15	826,368	----a-w	c:\windows\system32\wininet.dll
2008-12-17 20:49	---------	d-----w	c:\documents and settings\Laura\Application Data\CyberLink
2008-12-17 20:47	---------	d-----w	c:\documents and settings\Laura\Application Data\Logitech
2007-04-25 19:21	24,976	----a-w	c:\documents and settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2008-06-19 16:08	88	-csh--r	c:\windows\system32\27E02ED87B.sys
2008-08-29 22:53	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-23 95800]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 2048000]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-02-10 5391192]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 221184]
"Corel File Shell Monitor"="c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 38400]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 72192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" [2002-09-09 c:\windows\system32\nwiz.exe]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-02-21 581632]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
TrayMin200.exe.lnk - c:\program files\Philips\SPC 200NC PC Camera\TrayMin200.exe [2007-02-11 278528]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23913:TCP"= 23913:TCP:BitComet 23913 TCP
"23913:UDP"= 23913:UDP:BitComet 23913 UDP
"1498:UDP"= 1498:UDP:Windows Media Format SDK (iexplore.exe)
"1499:UDP"= 1499:UDP:Windows Media Format SDK (iexplore.exe)
"3084:UDP"= 3084:UDP:Windows Media Format SDK (iexplore.exe)
"3085:UDP"= 3085:UDP:Windows Media Format SDK (iexplore.exe)
"57293:TCP"= 57293:TCP:System68
"46164:TCP"= 46164:TCP:System11
"37010:TCP"= 37010:TCP:System93
"18298:TCP"= 18298:TCP:System62
"54643:TCP"= 54643:TCP:System73
"13214:TCP"= 13214:TCP:System14
"5761:TCP"= 5761:TCP:System88
"22076:TCP"= 22076:TCP:System42
"54130:TCP"= 54130:TCP:System02
"8017:TCP"= 8017:TCP:System61
"44375:TCP"= 44375:TCP:System58
"42449:TCP"= 42449:TCP:System94
"58162:TCP"= 58162:TCP:System99
"45567:TCP"= 45567:TCP:System71
"20364:TCP"= 20364:TCP:System81
"54961:TCP"= 54961:TCP:System58
"27144:TCP"= 27144:TCP:System47
"54553:TCP"= 54553:TCP:System79
"19140:TCP"= 19140:TCP:System26
"62311:TCP"= 62311:TCP:System34
"39993:TCP"= 39993:TCP:System95
"56610:TCP"= 56610:TCP:System58
"53893:TCP"= 53893:TCP:System46
"40674:TCP"= 40674:TCP:System63
"54805:TCP"= 54805:TCP:System89
"49921:TCP"= 49921:TCP:System79
"41030:TCP"= 41030:TCP:System86
"9355:TCP"= 9355:TCP:System86
"64182:TCP"= 64182:TCP:System27
"50002:TCP"= 50002:TCP:System85
"16568:TCP"= 16568:TCP:System86
"34478:TCP"= 34478:TCP:System39
"63079:TCP"= 63079:TCP:System33
"47587:TCP"= 47587:TCP:System88
"5420:TCP"= 5420:TCP:System84
"25817:TCP"= 25817:TCP:System88
"29225:TCP"= 29225:TCP:System15
"43920:TCP"= 43920:TCP:System09
"45596:TCP"= 45596:TCP:System50
"46920:TCP"= 46920:TCP:System28
"63516:TCP"= 63516:TCP:System81
"34406:TCP"= 34406:TCP:System53
"62239:TCP"= 62239:TCP:System12
"57212:TCP"= 57212:TCP:System92
"20473:TCP"= 20473:TCP:System32
"11396:TCP"= 11396:TCP:System35
"8565:TCP"= 8565:TCP:System51
"17159:TCP"= 17159:TCP:System23
"49733:TCP"= 49733:TCP:System12
"27822:TCP"= 27822:TCP:System86
"4950:TCP"= 4950:TCP:System90
"6848:TCP"= 6848:TCP:System75
"12112:TCP"= 12112:TCP:System29
"22751:TCP"= 22751:TCP:System60
"59221:TCP"= 59221:TCP:System34
"10162:TCP"= 10162:TCP:System58
 
S2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2009-02-14 17408]
S2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2009-02-14 39424]
S3 hcdriver;Intel EHCI Compliance Test Tool Device Driver;c:\windows\system32\drivers\hcdriver.sys [2009-02-14 50432]
S3 PentaxUsb;PENTAX Optio 50L on USB;c:\windows\system32\drivers\CoachUsb.sys [2007-11-18 50976]
S3 PentaxVc;PENTAX Optio 50L Video Capture;c:\windows\system32\drivers\CoachVc.sys [2007-11-18 44256]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2009-02-14 114688]
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
 
2009-02-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
 
2009-01-26 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.1.30.7.sxt _RegistrationOffer@16 []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = localhost
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d4293da50444b8ebfd09ff7c3501524
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d4293da50444b8ebfd09ff7c3501524
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 21:55:18
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
Completion time: 2009-02-16 21:56:53
ComboFix-quarantined-files.txt  2009-02-16 21:56:34
ComboFix2.txt  2009-02-16 14:03:39
 
Pre-Run: 6,064,369,664 bytes free
Post-Run: 6,058,799,104 bytes free
 
259	--- E O F ---	2009-01-13 19:06:47

Open in new window

0
 
JonveeCommented:
From the Combo log there's a couple of suspicious entries, but otherwise it appears ok >
c:\windows\DUMP9e34.tmp
c:\windows\system32\27E02ED87B.sys

Incidently have the machine symptoms changed or do you still get a BSOD?  Any other symptoms?
If still unresolved, we could try another script to try eliminate the above two entries.

You'll probably wish to see this statement>
Filename: LimeWire.exe:
http://www.bleepingcomputer.com/startups/LimeWire-10914.html

0
 
WhoIsThatChildAuthor Commented:
Still getting BSOD I'm afraid. Can we try another script please?
0
 
JonveeCommented:
Script instructions for 3rd ComboFix scan>

1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
=========================================================

File::
c:\windows\DUMP9e34.tmp

c:\windows\system32\27E02ED87B.sys


==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe.
This will re-start ComboFix, & hopefully the problem is removed.

5. Finally, please attach the newComboFix logfile.

0
 
WhoIsThatChildAuthor Commented:
Are they talking about actual limewire or a name-stealer? I'm aware that Limewire used to be bundled with some sort of malware but had also read that they have supposedly cleaned up their act. Nonetheless, once dirty always dirty I say, don't trust them.
0
 
WhoIsThatChildAuthor Commented:
Here's the new Combo log. That znohylpprfiu3.sys is still mentioned at the bottom.

I'll reboot and post back.

Thanks
ComboFix 09-02-15.01 - Gary 2009-02-16 22:57:14.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.336 [GMT 0:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
 
FILE ::
c:\windows\DUMP9e34.tmp
c:\windows\system32\27E02ED87B.sys
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\DUMP9e34.tmp
c:\windows\system32\27E02ED87B.sys
 
.
(((((((((((((((((((((((((   Files Created from 2009-01-16 to 2009-02-16  )))))))))))))))))))))))))))))))
.
 
2009-02-16 22:34 . 2009-02-16 22:34	<DIR>	d--------	C:\VundoFix Backups
2009-02-16 10:34 . 2009-02-16 10:34	3,042	--a------	c:\windows\system32\PerfStringBackup.TMP
2009-02-15 08:15 . 2009-02-15 08:15	102,664	--a------	c:\windows\system32\drivers\tmcomm.sys
2009-02-15 02:16 . 2009-02-15 08:23	<DIR>	d--------	c:\documents and settings\Gary\.housecall6.6
2009-02-15 00:14 . 2009-02-16 10:21	<DIR>	d--------	c:\program files\COMODO
2009-02-14 23:15 . 2008-12-30 11:13	13,976	--a------	c:\windows\system32\drivers\videX32.sys
2009-02-14 22:59 . 2009-01-21 15:49	118,656	--a------	c:\windows\system32\drivers\Rtnicxp.sys
2009-02-14 22:59 . 2009-01-16 22:45	73,728	--a------	c:\windows\system32\RtNicProp32.dll
2009-02-14 22:10 . 2001-08-17 13:57	16,128	--a------	c:\windows\system32\drivers\MODEMCSA.sys
2009-02-14 22:10 . 2001-08-17 13:57	16,128	--a--c---	c:\windows\system32\dllcache\modemcsa.sys
2009-02-14 21:55 . 2008-08-06 13:48	114,688	--a------	c:\windows\system32\drivers\ubohci.sys
2009-02-14 21:55 . 2008-08-06 13:52	100,352	--a------	c:\windows\system32\drivers\UB1394.sys
2009-02-14 21:55 . 2008-08-06 13:53	39,424	--a------	c:\windows\system32\drivers\UBUMAPI.sys
2009-02-14 21:55 . 2008-08-06 13:52	17,408	--a------	c:\windows\system32\drivers\UBSBM.sys
2009-02-14 20:57 . 2003-05-22 09:44	670,203	--a------	c:\windows\system32\drivers\Intels51.sys
2009-02-14 20:31 . 2006-11-20 15:34	50,432	--a------	c:\windows\system32\drivers\hcdriver.sys
2009-02-14 20:17 . 2006-10-09 12:58	203,648	--a------	c:\windows\system32\drivers\vinyl97.sys
2009-02-14 19:48 . 2009-02-16 10:24	1,374	--a------	c:\windows\imsins.BAK
2009-02-14 19:28 . 2009-02-16 22:23	0	--a------	c:\windows\system32\NvApps.xml
2009-02-14 17:49 . 2009-02-14 17:49	4,736	--a------	c:\windows\system32\drivers\usbd.sys
2009-02-14 14:48 . 2009-02-14 14:48	<DIR>	d--------	c:\program files\Innovative Solutions
2009-02-13 18:45 . 2009-02-13 18:45	<DIR>	d--------	C:\NSS
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\documents and settings\Gary\Application Data\Malwarebytes
2009-02-13 14:05 . 2009-02-13 14:05	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 14:05 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 14:05 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-13 12:05 . 2009-02-13 13:56	<DIR>	d--------	c:\windows\BDOSCAN8
2009-02-13 12:04 . 2009-02-16 10:23	<DIR>	d--------	c:\windows\LastGood
2009-02-12 16:36 . 2002-11-02 00:14	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\InterTrust
2009-02-12 16:36 . 2009-02-12 16:36	<DIR>	d--------	c:\documents and settings\Administrator
2009-02-12 15:51 . 2008-04-14 01:11	21,504	--a------	c:\windows\system32\hidserv.dll
2009-02-12 15:51 . 2008-04-14 01:11	21,504	--a--c---	c:\windows\system32\dllcache\hidserv.dll
2009-02-12 15:50 . 2008-04-13 19:39	14,592	--a------	c:\windows\system32\drivers\kbdhid.sys
2009-02-12 15:50 . 2008-04-13 19:39	14,592	--a--c---	c:\windows\system32\dllcache\kbdhid.sys
2009-02-12 15:50 . 2001-08-17 13:48	12,160	--a------	c:\windows\system32\drivers\mouhid.sys
2009-02-12 15:50 . 2001-08-17 13:48	12,160	--a--c---	c:\windows\system32\dllcache\mouhid.sys
2009-02-12 15:50 . 2008-04-13 19:45	10,368	--a------	c:\windows\system32\drivers\hidusb.sys
2009-02-12 15:50 . 2008-04-13 19:45	10,368	--a--c---	c:\windows\system32\dllcache\hidusb.sys
2009-02-05 16:44 . 2009-02-05 16:44	<DIR>	d--------	c:\documents and settings\Gary\Application Data\Symantec
2009-02-05 16:40 . 2009-02-05 16:40	<DIR>	d--------	c:\program files\Windows Sidebar
2009-02-05 16:38 . 2009-02-05 16:38	<DIR>	d--------	c:\windows\LastGood.Tmp
2009-02-05 16:32 . 2009-02-16 10:12	<DIR>	d--------	c:\program files\Common Files\Symantec Shared
2009-01-31 16:19 . 2009-01-31 16:47	<DIR>	d--------	c:\program files\NoAdware
2009-01-31 14:00 . 2009-01-31 14:00	<DIR>	d--------	c:\documents and settings\NetworkService\Application Data\Viewpoint
2009-01-30 12:26 . 2009-01-30 12:31	4,014	--a------	C:\pps.exe
2009-01-18 18:11 . 2009-01-18 18:12	<DIR>	d--------	c:\program files\iTunes
2009-01-18 18:11 . 2009-01-18 18:12	<DIR>	d--------	c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-18 18:09 . 2009-01-18 18:09	<DIR>	d--------	c:\program files\Bonjour
2009-01-18 18:05 . 2008-11-07 14:23	32,000	--a------	c:\windows\system32\drivers\usbaapl.sys
2009-01-18 18:04 . 2009-01-18 18:04	<DIR>	d--------	c:\program files\Common Files\Apple
2009-01-18 16:56 . 2009-01-18 16:56	54,156	--ah-----	c:\windows\QTFont.qfn
2009-01-18 16:56 . 2009-01-18 16:56	1,409	--a------	c:\windows\QTFont.for
2009-01-18 13:48 . 2009-01-18 13:48	<DIR>	d--------	c:\program files\Apple Software Update
2009-01-18 13:48 . 2009-01-18 13:48	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Apple
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 15:47	---------	d-----w	c:\program files\Common Files\AOL
2009-02-13 15:45	---------	d-----w	c:\documents and settings\All Users\Application Data\AOL
2009-02-13 15:44	---------	d-----w	c:\documents and settings\Gary\Application Data\AOL
2009-02-13 13:08	---------	d-----w	c:\program files\LimeWire
2009-02-05 16:14	---------	d-----w	c:\program files\DFX
2009-02-03 20:34	---------	d-----w	c:\program files\Spybot - Search & Destroy
2009-02-03 20:34	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-30 17:19	---------	d-----w	c:\documents and settings\All Users\Application Data\avg8
2009-01-18 18:15	---------	d-----w	c:\program files\QuickTime
2009-01-18 18:11	---------	d-----w	c:\program files\iPod
2009-01-05 21:40	---------	d-----w	c:\program files\Google
2008-12-20 23:15	826,368	----a-w	c:\windows\system32\wininet.dll
2008-12-17 20:49	---------	d-----w	c:\documents and settings\Laura\Application Data\CyberLink
2008-12-17 20:47	---------	d-----w	c:\documents and settings\Laura\Application Data\Logitech
2007-04-25 19:21	24,976	----a-w	c:\documents and settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2008-08-29 22:53	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-23 95800]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 2048000]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-02-10 5391192]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 221184]
"Corel File Shell Monitor"="c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 38400]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 72192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" [2002-09-09 c:\windows\system32\nwiz.exe]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-02-21 581632]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
TrayMin200.exe.lnk - c:\program files\Philips\SPC 200NC PC Camera\TrayMin200.exe [2007-02-11 278528]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23913:TCP"= 23913:TCP:BitComet 23913 TCP
"23913:UDP"= 23913:UDP:BitComet 23913 UDP
"1498:UDP"= 1498:UDP:Windows Media Format SDK (iexplore.exe)
"1499:UDP"= 1499:UDP:Windows Media Format SDK (iexplore.exe)
"3084:UDP"= 3084:UDP:Windows Media Format SDK (iexplore.exe)
"3085:UDP"= 3085:UDP:Windows Media Format SDK (iexplore.exe)
"57293:TCP"= 57293:TCP:System68
"46164:TCP"= 46164:TCP:System11
"37010:TCP"= 37010:TCP:System93
"18298:TCP"= 18298:TCP:System62
"54643:TCP"= 54643:TCP:System73
"13214:TCP"= 13214:TCP:System14
"5761:TCP"= 5761:TCP:System88
"22076:TCP"= 22076:TCP:System42
"54130:TCP"= 54130:TCP:System02
"8017:TCP"= 8017:TCP:System61
"44375:TCP"= 44375:TCP:System58
"42449:TCP"= 42449:TCP:System94
"58162:TCP"= 58162:TCP:System99
"45567:TCP"= 45567:TCP:System71
"20364:TCP"= 20364:TCP:System81
"54961:TCP"= 54961:TCP:System58
"27144:TCP"= 27144:TCP:System47
"54553:TCP"= 54553:TCP:System79
"19140:TCP"= 19140:TCP:System26
"62311:TCP"= 62311:TCP:System34
"39993:TCP"= 39993:TCP:System95
"56610:TCP"= 56610:TCP:System58
"53893:TCP"= 53893:TCP:System46
"40674:TCP"= 40674:TCP:System63
"54805:TCP"= 54805:TCP:System89
"49921:TCP"= 49921:TCP:System79
"41030:TCP"= 41030:TCP:System86
"9355:TCP"= 9355:TCP:System86
"64182:TCP"= 64182:TCP:System27
"50002:TCP"= 50002:TCP:System85
"16568:TCP"= 16568:TCP:System86
"34478:TCP"= 34478:TCP:System39
"63079:TCP"= 63079:TCP:System33
"47587:TCP"= 47587:TCP:System88
"5420:TCP"= 5420:TCP:System84
"25817:TCP"= 25817:TCP:System88
"29225:TCP"= 29225:TCP:System15
"43920:TCP"= 43920:TCP:System09
"45596:TCP"= 45596:TCP:System50
"46920:TCP"= 46920:TCP:System28
"63516:TCP"= 63516:TCP:System81
"34406:TCP"= 34406:TCP:System53
"62239:TCP"= 62239:TCP:System12
"57212:TCP"= 57212:TCP:System92
"20473:TCP"= 20473:TCP:System32
"11396:TCP"= 11396:TCP:System35
"8565:TCP"= 8565:TCP:System51
"17159:TCP"= 17159:TCP:System23
"49733:TCP"= 49733:TCP:System12
"27822:TCP"= 27822:TCP:System86
"4950:TCP"= 4950:TCP:System90
"6848:TCP"= 6848:TCP:System75
"12112:TCP"= 12112:TCP:System29
"22751:TCP"= 22751:TCP:System60
"59221:TCP"= 59221:TCP:System34
"22290:TCP"= 22290:TCP:System27
 
S2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2009-02-14 17408]
S2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2009-02-14 39424]
S3 hcdriver;Intel EHCI Compliance Test Tool Device Driver;c:\windows\system32\drivers\hcdriver.sys [2009-02-14 50432]
S3 PentaxUsb;PENTAX Optio 50L on USB;c:\windows\system32\drivers\CoachUsb.sys [2007-11-18 50976]
S3 PentaxVc;PENTAX Optio 50L Video Capture;c:\windows\system32\drivers\CoachVc.sys [2007-11-18 44256]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2009-02-14 114688]
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
 
2009-02-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
 
2009-01-26 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.1.30.7.sxt _RegistrationOffer@16 []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = localhost
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d4293da50444b8ebfd09ff7c3501524
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d4293da50444b8ebfd09ff7c3501524
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 22:59:23
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\znohylpprfiu3]
"ImagePath"="system32\DRIVERS\znohylpprfiu3.sys"
.
Completion time: 2009-02-16 23:00:55
ComboFix-quarantined-files.txt  2009-02-16 23:00:37
ComboFix2.txt  2009-02-16 21:56:54
ComboFix3.txt  2009-02-16 14:03:39
 
Pre-Run: 6,063,538,176 bytes free
Post-Run: 6,053,474,304 bytes free
 
263	--- E O F ---	2009-01-13 19:06:47

Open in new window

0
 
JonveeCommented:
Yes, i see it ... must admit that having investigated this problem at length i'm beginning to run out of ideas.  
Have to logoff now for the night and will drop by in the morning.  
May i suggest that you post a "Pointer" question (at 20 points maximum) in the HijackThis topic area http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/
with a link to this thread number http:Q_24146406.html.  
This will give you an immediate input from HijackThis experts active in that zone ... i'll continue to monitor your progress.  


Other possible options .. try the System File Checker>
Start>Run       .. and then type SFC /scannow

"How to use the scannow sfc tool in Windows XP":
http://www.updatexp.com/scannow-sfc.html

Or even consider a format & reinstall if between us we cannot resolve the issue>
"Clean Install Windows XP":
http://www.michaelstevenstech.com/cleanxpinstall.html
0
 
WhoIsThatChildAuthor Commented:
No change.

I have just had a thought - if this is definitely there but we cannot see it would the following help:

Copy all the files within system32\drivers by navigating there and selecting all (only getting the visible ones) then pasting them somewhere else (desktop\drivers). Copy the whole of the other folders in system32\drivers by selecting the individual folders and copying them into the new drivers folder on the desktop. Then delete the system32\drivers folder (deleting the hidden znohylpprfiu3.sys file with it). Finally copy the "clean" drivers folder back from the desktop.

I could do this with the hard drive in an external caddy connected to another machine - do you think it would work or is there a possibility of messing something up? I don't know if any of these files have some sort of link to something else that would be broken if we deleted them and copied them back in.

Your advice will be welcomed :-)
0
 
JonveeCommented:
Sounds interesting, but i couldn't recommend it .. have never tried it, & no doubt there's an element of risk.  i still believe that posting in the HijackThis TA is your best shot right now   : )

Incidently your 20 point "Pointer" question need only request extra help, you can leave all the technical talk in this present thread.
For example:    
<quote>  Extra assistance required please to resolve a BSOD issue in thread number http:Q_24146406.html in the Windows XP TA       <unquote>
0
 
WhoIsThatChildAuthor Commented:
SFC won't run in safe mode and I really don't want to have to re-install.

Will post in the HJT section.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 16
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now