Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Advanced SystemCare Pro Review IObit Coupons A Good Utility Program From IObit IObit Driver Booster Pro Review IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs IObit Software Coupons & Promo Code

Highjack scan decode, please


Recommended Posts

Hello - New here, as you can tell. Pulling my hair out with a bug that redirects windows update. Works fine in safe mode. In fact, I can only post to this site in safe mode. Several scanners and virus programs cant see anything.

Can someone take a look at my mess?

 

Thanks in advance!

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:16:45 PM, on 6/27/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

d:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\NMSSvc.exe

D:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\r2 studios\HideOE\HideOE.exe

D:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\MDM.EXE

D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\rweingart\My Documents\hjthis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurylink.net

O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HideOE] "C:\Program Files\r2 studios\HideOE\HideOE.exe"

O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249357522906

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

 

--

End of file - 5035 bytes

Link to comment
Share on other sites

Hi robnj

From a cursory glance at your file I will say that it seems like you have several Anti Virus programs running at the same time? Not a wise move!

I think this thread should be moved to the malware experts to take care of.

If you need more space for your file please attach it as a .zip file

Read about it in Usage of IObit Products - link in my signature.

Cheers

solbjerg

Link to comment
Share on other sites

Hi guys ;

 

robnj : are you getting redirects when using search engines as well ?

 

You may have a rootkit there and Hijack scans can't see those. I see Norton Ghost on your machine and I'm thinking you could re-image the system as an easy solution ; if you have a recent image that is.

 

This definitely needs malware removal attention, if you can't or won't re-image.

 

===

Link to comment
Share on other sites

Yes, a few programs running... in my attempt to get rid of this thing.

 

Only seems to redirect windows update and sites related to virus removal (some not all).

 

I will research the rootkit. All else fails, restore from backup.

 

Thanks.

Link to comment
Share on other sites

Hi again robnj,

 

I think this needs a look by the malware fighters. If it is a rootkit like we've seen lately, you won't be able to detect it yourself, most likely, because they hide very well. There are ways though, but you won't find them easily, if at all.

 

Stick around, and please don't run things/tools you don't have experience with unless guided by someone with current knowledge on these infections. You do have an image to go back to, which is good.

 

===

Link to comment
Share on other sites

Maybe this will be of help. I ran GMER and got this log. I am thinking the registry lines are in question? If I try to view them in regedit, it says error opening key. Tried to delete (I know, I know) and it wont let me delete anyway.

 

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-27 23:11:40

Windows 5.1.2600 Service Pack 3

Running: grrcouqn.exe; Driver: C:\DOCUME~1\RWEING~1\LOCALS~1\Temp\pxtdipow.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA2A066B8]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA2A06574]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA2A06A52]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA2A0614C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA2A0664E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA2A0608C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA2A060F0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA2A0676E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA2A0672E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA2A068AE]

SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA2AC4620]

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

.text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 03C7000A

.text C:\WINDOWS\System32\svchost.exe[1284] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D3000A

.reloc C:\WINDOWS\Explorer.EXE[1420] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x3800, 0xE0000040]

.text C:\WINDOWS\Explorer.EXE[1420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[1420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[1420] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

 

---- User IAT/EAT - GMER 1.0.15 ----

 

IAT C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002

IAT C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

 

---- Registry - GMER 1.0.15 ----

 

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@jakebdimdcjadjmkdhlg 0x62 0x61 0x67 0x6F ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@jakebdimdcjadjmkdhpg 0x62 0x61 0x64 0x69 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@iakfciigfidfkkhkni 0x6B 0x61 0x6C 0x6F ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@haahaigammbphknc 0x6B 0x61 0x6C 0x6F ...

 

---- EOF - GMER 1.0.15 ----

Link to comment
Share on other sites

And here is the 360 log file. I deleted the tracking cookies from log as it had my email name.

IObit Security 360

 

OS:Windows XP

Version:1.4.5.67

Define Version:1620

Time Elapsed:00:02:33

Objects Scanned:49697

Threats Found:27

 

|Name|Type|Description|ID|

 

Misleading.DefenseCenter - Removed, Registry Key, HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}, 4-29314

Misleading.DefenseCenter - Removed, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Value={5E2121EE-0300-11D4-8D3B-444553540000}, 4-30156

Link to comment
Share on other sites

Hi Rob,

 

GMER isn't showing a rootkit, so please don't attempt to delete things yourself. Those registry entries are unkown to me but possibly legit. GMER can't see some of the newer rootkits, not yet anyway.

 

IS360's detection on that shell extension and CLSID was a nasty though. It's a backdoor that allows for the bad guys to remotely control your machine, and these rarely come alone.

 

I'm hoping this thread will be moved to the appropriate section, for malware removal.

 

===

Link to comment
Share on other sites

Very odd. Come home today from work and my wife had the PC on already. Forgot to tell her to not use.

I login to my profile and try windows update and now it works !?! Very odd.

 

I did nothing since last posting yesterday. Here is the latest 360 log.

(again I deleted my email in the tracking cookie part, 2 of them)

 

IObit Security 360

 

OS:Windows XP

Version:1.4.5.67

Define Version:1621

Time Elapsed:00:02:32

Objects Scanned:50121

Threats Found:2

 

|Name|Type|Description|ID|

Link to comment
Share on other sites

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

 

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and links posted for each one)

 

* Copy the file path in the below Code box:

 

C:\WINDOWS\system32\MDM.EXE

 

* At the upload site, click once inside the window next to Browse.

* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.

* Next click Submit file

* Your file will possibly be entered into a queue which normally takes less than a minute to clear.

* This will perform a scan across multiple different virus scanning engines.

* Important: Wait for all of the scanning engines to complete.

* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

 

================================

 

HJT is not running from the correct place. Please uninstall it and download a new version. It should install by default in C:\ Program Files. Please run another scan. There appears to be some lines missing.

 

Please download: HiJackThis to your Desktop.

  • Double Click the HijackThis icon, located on your Desktop.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
  • Accept the license agreement.
  • Click the Open the Misc Tools section button.
  • Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  • Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  • Please post the log in your next reply.

===================================

 

Download Security Check by screen317 from one of the following links and save it to your desktop.

 

Link 1

Link 2

 

* Unzip SecurityCheck.zip and a folder named Security Check should appear.

* Open the Security Check folder and double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.

 

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

 

=================================

 

SUPERAntiSpyware

 

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

 

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

 

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

 

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

Please leave the others unchecked

 

•Click the Close button to leave the control center screen.

 

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

 

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

 

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

 

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

 

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

 

=================================

 

Please download Malwarebytes Anti-Malware from here.

 

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

 

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Link to comment
Share on other sites

Thanks for the help and the details steps, much appreciated.

Oddly enough, I come home from work and can get to Windows Update. This seems to come and go now.

 

Jotti link:

http://virusscan.jotti.org/en/scanresult/35ac1e6ab7194da38dfb1106079cd6e20a193af3/4574b72db6d172eb75e69d73e939e4a8d4d4a1c6

 

Hijack:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:10:31 PM, on 6/29/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

d:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\GEARSec.exe

d:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\NMSSvc.exe

D:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\r2 studios\HideOE\HideOE.exe

C:\Program Files\outlook express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\MDM.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurylink.net

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exed:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HideOE] "C:\Program Files\r2 studios\HideOE\HideOE.exe" (filesize 65536 bytes, MD5 CB64F805F518D880920377D2E5F3DB43)

O4 - HKCU\..\Run: [Advanced SystemCare 3] "d:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup (filesize 2346192 bytes, MD5 1FCC6891865DB2034ACCB7B6B2897FAD)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249357522906

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277693634734

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLLD:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exed:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exed:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exed:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exed:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeC:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exeD:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exeC:\WINDOWS\System32\GEARSec.exe

O23 - Service: IS360service - IObit - d:\Program Files\IObit\IObit Security 360\IS360srv.exed:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeC:\WINDOWS\System32\NMSSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton Ghost\Agent\VProSvc.exeD:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: OSBIBZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exeC:\DOCUME~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exeC:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

 

--

End of file - 6633 bytes

 

screen317:

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

avast! Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 15 Out of date Java (6 update 20 available)

Adobe Flash Player 10.1.53.7

Adobe Reader 9.3.2 Adobe Out of Date! (9.3.3 available)

Mozilla Firefox (3.5.10) Firefox Out of Date! (3.6.6 available)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast4 aswUpdSv.exe

Alwil Software Avast4 ashServ.exe

Alwil Software Avast4 ashDisp.exe

Alwil Software Avast4 ashMaiSv.exe

Alwil Software Avast4 ashWebSv.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

``````````End of Log````````````

 

Superanitspyware:

 

NOTE: I deleted my tracking cookie lines, since it had my login names on it.

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 06/29/2010 at 11:42 PM

 

Application Version : 4.39.1002

 

Core Rules Database Version : 5135

Trace Rules Database Version: 2947

 

Scan type : Complete Scan

Total Scan Time : 02:25:52

 

Memory items scanned : 477

Memory threats detected : 0

Registry items scanned : 6958

Registry threats detected : 0

File items scanned : 137209

File threats detected : 83

 

 

C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[5].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@tacoda[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[8].txt

C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@cdn1.trafficmp[1].txt

media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

service.twistage.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

convoad.technoratimedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media.entertonement.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media-glam.pictela.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

objects.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

media.mtvnservices.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

 

Malwarebytes:

Will be added shortly.

Link to comment
Share on other sites

Malwarebytes:

Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

 

Database version: 4260

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

6/30/2010 6:47:44 AM

mbam-log-2010-06-30 (06-47-44).txt

 

Scan type: Full scan (C:\|D:\|F:\|)

Objects scanned: 228012

Time elapsed: 47 minute(s), 53 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\eeshellx.shellext (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{0e6117e2-c367-4be3-8045-52669e71b5df} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f272845d-cec2-4f95-92ee-6d08fdfbd471} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a7c6e906-b0b8-4810-ae82-71809ed409eb} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Quick Mode (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Safe Restart (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Safe Shutdown (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Evidence Eliminator Safe Recycle (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{a7c6e906-b0b8-4810-ae82-71809ed409eb} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\Eeshellx.dll (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

C:\Documents and Settings\rweingart\Desktop\Evidence Eliminator v6.01.exe (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

C:\Documents and Settings\rweingart\Desktop\Evidence Eliminator - Help.chm (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

C:\Documents and Settings\rweingart\Desktop\Evidence Eliminator.lnk (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

Link to comment
Share on other sites

Open HijackThis and select Do a system scan only

 

Place a check mark next to the following entries: (if there)

 

O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

 

Important: Close all open windows except for HijackThis and then click Fix checked.

 

Once completed, exit HijackThis.

 

===================================

 

Update Your Java (JRE)

 

Old versions of Java have vulnerabilities that malware can use to infect your system.

 

First Verify your Java Version

 

If there are any other version(s) installed then update now.

 

Get the new version (if needed)

 

If your version is out of date install the newest version of the Sun Java Runtime Environment.

 

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

 

Be sure to close ALL open web browsers before starting the installation.

 

Remove any old versions

 

1. Download JavaRa and unzip the file to your Desktop.

2. Open JavaRA.exe and choose Remove Older Versions

3. Once complete exit JavaRA.

4. Run CCleaner.

 

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

 

=============================

 

Please download the newest version of Adobe Acrobat Reader from Adobe.com

 

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.

Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).

Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

 

Once old versions are gone, please install the newest version.

 

=================================

 

Please download ComboFix http://img7.imageshack.us/img7/4930/combofix.gif from BleepingComputer.com

 

Alternate link: GeeksToGo.com

 

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif

 

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

 

If you have problems with ComboFix usage, see How to use ComboFix

Link to comment
Share on other sites

Superdave, you are the MAN...

 

I could not remove: O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

 

Did the rest of the steps you gave.

Combofix found some stuff. The Windows recovery found some rootkit activity and forced a reboot. Then Combofix went to town.

If I am reading this right, my explorer.exe was infected and my RAID controller driver?

Now I load windows update and it pops up instantly. I noticed before even when it "worked" it would flash a few times before loading, almost like it was trying to go somewhere else.

NO MORE!!!

 

Also after I ran combofix, I did a hijack and was able to removel the O18, but still have that O23. Not a big deal, right?

 

Here is the combofix:

ComboFix 10-06-30.02 - rw 06/30/2010 20:39:34.1.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1574 [GMT -4:00]

Running from: c:\documents and settings\rw\desktop\commy.exe

Command switches used :: /stepdel

AV: avast! antivirus 4.8.1368 [VPS 100630-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\program files\INSTALL.LOG

c:\windows\system32\WINKRNME.DLL

 

Infected copy of c:\windows\system32\drivers\SI3112r.sys was found and disinfected

Restored copy from - Kitty had a snack :p

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

 

.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))

.

 

2010-07-01 00:04 . 2010-07-01 00:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe

2010-07-01 00:03 . 2010-07-01 00:03 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-07-01 00:03 . 2010-07-01 00:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-01 00:02 . 2010-07-01 00:02 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-06-30 23:55 . 2010-06-30 23:55 -------- d-----w- c:\program files\Common Files\Java

2010-06-30 23:55 . 2010-06-30 23:55 61440 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-sse.dll

2010-06-30 23:55 . 2010-06-30 23:55 503808 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcp71.dll

2010-06-30 23:55 . 2010-06-30 23:55 499712 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\jmc.dll

2010-06-30 23:55 . 2010-06-30 23:55 348160 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcr71.dll

2010-06-30 23:55 . 2010-06-30 23:55 12800 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-d3d.dll

2010-06-30 23:54 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-30 01:14 . 2010-06-30 01:14 63488 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-30 01:08 . 2010-06-30 01:08 -------- d-----w- c:\program files\Trend Micro

2010-06-29 00:58 . 2010-06-29 00:58 -------- d-----w- c:\documents and settings\rw\Application Data\IObit

2010-06-28 03:52 . 2010-06-28 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-06-28 02:39 . 2010-05-26 14:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2010-06-28 02:13 . 2010-06-28 02:13 -------- d--h--w- c:\windows\PIF

2010-06-27 20:02 . 2010-06-29 12:11 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-27 17:58 . 2010-06-27 18:07 52224 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-27 17:57 . 2010-06-30 01:14 117760 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-27 00:46 . 2010-06-27 00:46 -------- d-----w- c:\program files\Windows Live Safety Center

2010-06-26 11:53 . 2010-06-26 11:53 -------- d-----w- C:\FOUND.001

2010-06-25 06:23 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-25 02:28 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-25 02:25 . 2010-06-25 02:25 -------- d-----w- C:\FOUND.000

2010-06-25 01:52 . 2010-06-25 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-07 18:42 . 2010-06-07 18:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-27 19:04 . 2003-03-31 16:00 24064 ----a-w- c:\windows\system32\ctfmon.exe

2010-06-25 11:44 . 2009-08-05 12:43 36768 ----a-w- c:\documents and settings\abw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-14 23:21 . 2010-05-14 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2010-05-14 23:16 . 2010-05-14 23:16 -------- d-----w- c:\program files\Virtual Assistant

2010-05-14 23:15 . 2010-05-14 23:15 2232 ----a-w- c:\windows\java\Packages\Data\HRRDR3PV.DAT

2010-05-14 23:15 . 2010-05-14 23:15 155995 ----a-w- c:\windows\java\Packages\YOKLB9NF.ZIP

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\N1FRHB7V.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\Z3RFNVV1.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\VVTVJBN3.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\PZLRF9FP.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\DFDFV13P.DAT

2010-05-14 23:15 . 2010-05-14 23:15 -------- d-----w- c:\program files\CenturyLink

2010-05-14 23:13 . 2010-05-14 23:13 -------- d-----w- c:\program files\EMBARQ

2010-05-06 10:41 . 2003-03-31 16:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2003-03-31 16:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-08-17 00:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-08-17 00:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2003-03-31 16:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-17 19:37 . 2010-02-04 03:10 6 ----a-w- c:\windows\system32\PCTiming.dat

1998-12-08 18:53 . 1998-12-08 18:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-08 18:53 . 1998-12-08 18:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-08 18:53 . 1998-12-08 18:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

 

------- Sigcheck -------

 

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[7] 2009-08-22 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"HideOE"="c:\program files\r2 studios\HideOE\HideOE.exe" [2002-09-06 65536]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-06-27 19:14 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

2007-05-22 15:04 521128 ------w- c:\program files\DNA-drivers\DNA-ATi\Driver\DNA-ATI Tray Tools\atitray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-04 00:20 866584 ----a-w- d:\program files\Windows Defender\MSASCui.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Brother\\Brmfl08d\\FAXRX.exe"=

"c:\\WINDOWS\\System32\\mmc.exe"=

"c:\\Program Files\\Java\\JRE6\\BIN\\JAVA.EXE"=

"f:\\Program Files\\BitLord\\BitLord.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

 

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/3/2009 11:40 PM 116264]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/5/2009 12:05 AM 114768]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [7/28/2009 10:53 AM 12872]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 67656]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/27/2010 10:39 PM 18816]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/5/2009 12:05 AM 20560]

R2 IS360service;IS360service;d:\program files\IObit\IObit Security 360\is360srv.exe [6/27/2010 11:52 PM 312152]

R3 hpdat;hpdat;c:\windows\system32\drivers\hpdat.sys [4/15/2009 3:41 PM 7936]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2/28/2010 1:43 PM 7040]

S1 atitray;atitray;\??\c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys --> c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys [?]

S2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [8/3/2009 11:16 PM 12288]

S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [8/4/2009 8:47 PM 112624]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\75.tmp --> c:\windows\system32\75.tmp [?]

S3 OSBIBZ;OSBIBZ;c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe --> c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe [?]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 12872]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - NMSCFG

.

Contents of the 'Scheduled Tasks' folder

 

2010-06-29 c:\windows\Tasks\SmartDefrag.job

- d:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-06-29 16:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://centurylink.net

uInternet Settings,ProxyOverride = local

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\rw\Application Data\Mozilla\Firefox\Profiles\iqdkydo9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-Adobe Reader Speed Launcher - d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-30 20:48

Windows 5.1.2600 Service Pack 3 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\75.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1645522239-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"jakebdimdcjadjmkdhlg"=hex:62,61,67,6f,00,00

"jakebdimdcjadjmkdhpg"=hex:62,61,64,69,00,00

"iakfciigfidfkkhkni"=hex:6b,61,6c,6f,6b,63,69,68,69,63,66,6d,6d,63,62,66,6d,63,

69,65,69,69,00,00

"haahaigammbphknc"=hex:6b,61,6c,6f,6b,63,6a,68,66,62,61,69,70,70,66,6c,67,64,

6a,6f,69,70,00,00

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c016\6&24e83e2c&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(800)

d:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(2184)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

d:\program files\Alwil Software\Avast4\aswUpdSv.exe

d:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\System32\GEARSec.exe

c:\windows\System32\NMSSvc.exe

d:\program files\Norton Ghost\Agent\VProSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\progra~1\COMMON~1\X10\COMMON\x10nets.exe

c:\program files\Canon\CAL\CALMAIN.exe

d:\program files\Alwil Software\Avast4\ashMaiSv.exe

d:\program files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2010-06-30 20:51:17 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-01 00:51

 

Pre-Run: 7,940,603,904 bytes free

Post-Run: 8,621,408,256 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

 

- - End Of File - - 7B582659FC51F7D4958C1999B8AEAA61

Link to comment
Share on other sites

Sorry for being so late in getting back to you. There was something in the logs I had to check.

 

but still have that O23. Not a big deal, right?

 

If it shows up again, we'll get it.

 

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

 

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

 

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

 

Exit out of MessengerDisable then delete the two files that were put on the desktop.

 

==============================

 

P2P - I see you have P2P software installed on your machine. (BitLord) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

 

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

 

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

 

==============================

 

Re-running ComboFix to remove infections:

 

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::
     
    File::
    C:\FOUND.001
    C:\FOUND.000
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe
     
    http://img19.imageshack.us/img19/5660/cfscriptb4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

 

=====================================

 

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

Link to comment
Share on other sites

OK Dave, here is the latest combo fix file:

 

ComboFix 10-07-04.04 - rw 07/05/2010 21:15:38.3.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1557 [GMT -4:00]

Running from: c:\documents and settings\rw\Desktop\Commy.exe

Command switches used :: c:\documents and settings\rw\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1368 [VPS 100706-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

 

FILE ::

"C:\FOUND.000"

"C:\FOUND.001"

.

 

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

 

2010-07-01 01:05 . 2010-07-01 01:05 -------- d-----w- C:\Commy

2010-07-01 00:03 . 2010-07-01 00:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-01 00:02 . 2010-07-01 00:02 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-06-30 23:55 . 2010-06-30 23:55 -------- d-----w- c:\program files\Common Files\Java

2010-06-30 23:55 . 2010-06-30 23:55 61440 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-sse.dll

2010-06-30 23:55 . 2010-06-30 23:55 503808 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcp71.dll

2010-06-30 23:55 . 2010-06-30 23:55 499712 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\jmc.dll

2010-06-30 23:55 . 2010-06-30 23:55 348160 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcr71.dll

2010-06-30 23:55 . 2010-06-30 23:55 12800 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-d3d.dll

2010-06-30 23:54 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-30 01:14 . 2010-06-30 01:14 63488 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-30 01:08 . 2010-06-30 01:08 -------- d-----w- c:\program files\Trend Micro

2010-06-29 00:58 . 2010-06-29 00:58 -------- d-----w- c:\documents and settings\rw\Application Data\IObit

2010-06-28 03:52 . 2010-06-28 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-06-28 02:39 . 2010-05-26 14:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2010-06-28 02:13 . 2010-06-28 02:13 -------- d--h--w- c:\windows\PIF

2010-06-27 20:02 . 2010-06-29 12:11 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-27 17:58 . 2010-06-27 18:07 52224 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-27 17:57 . 2010-06-30 01:14 117760 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-27 00:46 . 2010-06-27 00:46 -------- d-----w- c:\program files\Windows Live Safety Center

2010-06-26 11:53 . 2010-06-26 11:53 -------- d-----w- C:\FOUND.001

2010-06-25 06:23 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-25 02:28 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-25 02:25 . 2010-06-25 02:25 -------- d-----w- C:\FOUND.000

2010-06-25 01:52 . 2010-06-25 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\AcrobatUpdater.exe

2010-06-07 18:42 . 2010-06-07 18:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-27 19:04 . 2003-03-31 16:00 24064 ----a-w- c:\windows\system32\ctfmon.exe

2010-06-25 11:44 . 2009-08-05 12:43 36768 ----a-w- c:\documents and settings\abw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-14 23:21 . 2010-05-14 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2010-05-14 23:16 . 2010-05-14 23:16 -------- d-----w- c:\program files\Virtual Assistant

2010-05-14 23:15 . 2010-05-14 23:15 2232 ----a-w- c:\windows\java\Packages\Data\HRRDR3PV.DAT

2010-05-14 23:15 . 2010-05-14 23:15 155995 ----a-w- c:\windows\java\Packages\YOKLB9NF.ZIP

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\N1FRHB7V.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\Z3RFNVV1.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\VVTVJBN3.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\PZLRF9FP.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\DFDFV13P.DAT

2010-05-14 23:15 . 2010-05-14 23:15 -------- d-----w- c:\program files\CenturyLink

2010-05-14 23:13 . 2010-05-14 23:13 -------- d-----w- c:\program files\EMBARQ

2010-05-06 10:41 . 2003-03-31 16:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2003-03-31 16:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-08-17 00:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-08-17 00:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2003-03-31 16:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-17 19:37 . 2010-02-04 03:10 6 ----a-w- c:\windows\system32\PCTiming.dat

1998-12-08 18:53 . 1998-12-08 18:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-08 18:53 . 1998-12-08 18:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-08 18:53 . 1998-12-08 18:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

 

------- Sigcheck -------

 

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[7] 2009-08-22 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"HideOE"="c:\program files\r2 studios\HideOE\HideOE.exe" [2002-09-06 65536]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-06-27 19:14 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

2007-05-22 15:04 521128 ------w- c:\program files\DNA-drivers\DNA-ATi\Driver\DNA-ATI Tray Tools\atitray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-04 00:20 866584 ----a-w- d:\program files\Windows Defender\MSASCui.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Brother\\Brmfl08d\\FAXRX.exe"=

"c:\\WINDOWS\\System32\\mmc.exe"=

"c:\\Program Files\\Java\\JRE6\\BIN\\JAVA.EXE"=

"f:\\Program Files\\BitLord\\BitLord.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

 

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/3/2009 11:40 PM 116264]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/5/2009 12:05 AM 114768]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [7/28/2009 10:53 AM 12872]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 67656]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/27/2010 10:39 PM 18816]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/5/2009 12:05 AM 20560]

R3 hpdat;hpdat;c:\windows\system32\drivers\hpdat.sys [4/15/2009 3:41 PM 7936]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2/28/2010 1:43 PM 7040]

S1 atitray;atitray;\??\c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys --> c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys [?]

S2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [8/3/2009 11:16 PM 12288]

S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [8/4/2009 8:47 PM 112624]

S3 IS360service;IS360service;d:\program files\IObit\IObit Security 360\is360srv.exe [6/27/2010 11:52 PM 312152]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\75.tmp --> c:\windows\system32\75.tmp [?]

S3 OSBIBZ;OSBIBZ;c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe --> c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe [?]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 12872]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - NMSCFG

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://centurylink.net

uInternet Settings,ProxyOverride = local

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\rw\Application Data\Mozilla\Firefox\Profiles\iqdkydo9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-05 21:27

Windows 5.1.2600 Service Pack 3 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\75.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1645522239-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"jakebdimdcjadjmkdhlg"=hex:62,61,67,6f,00,00

"jakebdimdcjadjmkdhpg"=hex:62,61,64,69,00,00

"iakfciigfidfkkhkni"=hex:6b,61,6c,6f,6b,63,69,68,69,63,66,6d,6d,63,62,66,6d,63,

69,65,69,69,00,00

"haahaigammbphknc"=hex:6b,61,6c,6f,6b,63,6a,68,66,62,61,69,70,70,66,6c,67,64,

6a,6f,69,70,00,00

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c016\6&24e83e2c&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(804)

d:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(3192)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Alwil Software\Avast4\aswUpdSv.exe

d:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\System32\GEARSec.exe

c:\windows\System32\NMSSvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

d:\program files\Alwil Software\Avast4\ashMaiSv.exe

d:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\outlook express\msimn.exe

.

**************************************************************************

.

Completion time: 2010-07-05 21:30:13 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-06 01:30

ComboFix2.txt 2010-07-01 01:11

ComboFix3.txt 2010-07-01 00:51

 

Pre-Run: 8,191,410,176 bytes free

Post-Run: 8,399,749,120 bytes free

 

- - End Of File - - C7E3A2A11D072A88DA184FF1D8EA3819

 

 

Here is the ESET file:

 

C:\WINDOWS\system32\drivers\etc\hosts.20100624-220040.backup Win32/Qhost trojan cleaned by deleting - quarantined

C:\Documents and Settings\abw\Local Settings\Application Data\Identities\{CBEBBA05-BC05-47EA-A98A-69424387CFAE}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats unable to clean

C:\System Volume Information\_restore{32BBD131-392F-4B77-9CDC-C9AA943C8B14}\RP347\A0061130.sys Win32/Olmarik.ZC trojan cleaned - quarantined

F:\old\hideoe.exe probably unknown NewHeur_PE virus deleted - quarantined

 

 

I know my wife said she got some bad emails from a spoofed "UPS" email. She deleted, but must not have purged the folder.

HideOE is a program I have used for like 8 years at least for hiding outlook in the sytem tray.

Link to comment
Share on other sites

Also, I tried hijack again. Cant get rid of that annoying:

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

 

Thanks for all your help.

Link to comment
Share on other sites

Please ensure that the items in the Deleted Items are cleared. How's your computer working?

 

Go to Start > Run and type Notepad.exe then click OK.

 

Copy and paste the following text within the code box into the new Notepad file.

 

@ECHO OFF
sc stop "DTSRVC "
sc delete "DTSRVC "

exit

 

In Notepad select File and Save as

Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

 

Next double click fixservice.bat to run it.

A black box should open and close after a short time, this is normal.

Do not continue until the black box has closed

Delete fixservice.bat from the Desktop.

 

==========================

 

Re-running ComboFix to remove infections:

 

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::
    File::
    C:\FOUND.001
    C:\FOUND.000
     
    FCopy::
    c:\windows\$NtServicePackUninstall$\ctfmon.exe | c:\windows\system32\ctfmon.exe
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe
     
    http://img19.imageshack.us/img19/5660/cfscriptb4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

 

Please run HJT again to see if that line 23 is gone.

Link to comment
Share on other sites

Could not get rid of that O23. I am thinking maybe I should reinstall the monitor sw (that was from an LG driver) and then uninstall. Maybe something is stuck?

 

Otherwise machine is running great. I noticed that my little thermocouple I have in the heatsync of the CPU is back around 104F. At the peak of my problem it was 130F and about a week ago before your tweaks, it was 116F. Tells me a lot less is running.

 

Here is the combofix:

ComboFix 10-07-04.04 - rw 07/05/2010 21:15:38.3.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1557 [GMT -4:00]

Running from: c:\documents and settings\rw\Desktop\Commy.exe

Command switches used :: c:\documents and settings\rw\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1368 [VPS 100706-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

 

FILE ::

"C:\FOUND.000"

"C:\FOUND.001"

.

 

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

 

2010-07-01 01:05 . 2010-07-01 01:05 -------- d-----w- C:\Commy

2010-07-01 00:03 . 2010-07-01 00:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-01 00:02 . 2010-07-01 00:02 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-06-30 23:55 . 2010-06-30 23:55 -------- d-----w- c:\program files\Common Files\Java

2010-06-30 23:55 . 2010-06-30 23:55 61440 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-sse.dll

2010-06-30 23:55 . 2010-06-30 23:55 503808 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcp71.dll

2010-06-30 23:55 . 2010-06-30 23:55 499712 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\jmc.dll

2010-06-30 23:55 . 2010-06-30 23:55 348160 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcr71.dll

2010-06-30 23:55 . 2010-06-30 23:55 12800 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-d3d.dll

2010-06-30 23:54 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-30 01:14 . 2010-06-30 01:14 63488 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-30 01:08 . 2010-06-30 01:08 -------- d-----w- c:\program files\Trend Micro

2010-06-29 00:58 . 2010-06-29 00:58 -------- d-----w- c:\documents and settings\rw\Application Data\IObit

2010-06-28 03:52 . 2010-06-28 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-06-28 02:39 . 2010-05-26 14:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2010-06-28 02:13 . 2010-06-28 02:13 -------- d--h--w- c:\windows\PIF

2010-06-27 20:02 . 2010-06-29 12:11 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-27 17:58 . 2010-06-27 18:07 52224 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-27 17:57 . 2010-06-30 01:14 117760 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-27 00:46 . 2010-06-27 00:46 -------- d-----w- c:\program files\Windows Live Safety Center

2010-06-26 11:53 . 2010-06-26 11:53 -------- d-----w- C:\FOUND.001

2010-06-25 06:23 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-25 02:28 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-25 02:25 . 2010-06-25 02:25 -------- d-----w- C:\FOUND.000

2010-06-25 01:52 . 2010-06-25 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\579\AcrobatUpdater.exe

2010-06-07 18:42 . 2010-06-07 18:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-27 19:04 . 2003-03-31 16:00 24064 ----a-w- c:\windows\system32\ctfmon.exe

2010-06-25 11:44 . 2009-08-05 12:43 36768 ----a-w- c:\documents and settings\abw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-14 23:21 . 2010-05-14 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2010-05-14 23:16 . 2010-05-14 23:16 -------- d-----w- c:\program files\Virtual Assistant

2010-05-14 23:15 . 2010-05-14 23:15 2232 ----a-w- c:\windows\java\Packages\Data\HRRDR3PV.DAT

2010-05-14 23:15 . 2010-05-14 23:15 155995 ----a-w- c:\windows\java\Packages\YOKLB9NF.ZIP

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\N1FRHB7V.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\Z3RFNVV1.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\VVTVJBN3.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\PZLRF9FP.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\DFDFV13P.DAT

2010-05-14 23:15 . 2010-05-14 23:15 -------- d-----w- c:\program files\CenturyLink

2010-05-14 23:13 . 2010-05-14 23:13 -------- d-----w- c:\program files\EMBARQ

2010-05-06 10:41 . 2003-03-31 16:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2003-03-31 16:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-08-17 00:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-08-17 00:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2003-03-31 16:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-17 19:37 . 2010-02-04 03:10 6 ----a-w- c:\windows\system32\PCTiming.dat

1998-12-08 18:53 . 1998-12-08 18:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-08 18:53 . 1998-12-08 18:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-08 18:53 . 1998-12-08 18:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

 

------- Sigcheck -------

 

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[7] 2009-08-22 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"HideOE"="c:\program files\r2 studios\HideOE\HideOE.exe" [2002-09-06 65536]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-06-27 19:14 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

2007-05-22 15:04 521128 ------w- c:\program files\DNA-drivers\DNA-ATi\Driver\DNA-ATI Tray Tools\atitray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-04 00:20 866584 ----a-w- d:\program files\Windows Defender\MSASCui.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Brother\\Brmfl08d\\FAXRX.exe"=

"c:\\WINDOWS\\System32\\mmc.exe"=

"c:\\Program Files\\Java\\JRE6\\BIN\\JAVA.EXE"=

"f:\\Program Files\\BitLord\\BitLord.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

 

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/3/2009 11:40 PM 116264]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/5/2009 12:05 AM 114768]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [7/28/2009 10:53 AM 12872]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 67656]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/27/2010 10:39 PM 18816]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/5/2009 12:05 AM 20560]

R3 hpdat;hpdat;c:\windows\system32\drivers\hpdat.sys [4/15/2009 3:41 PM 7936]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2/28/2010 1:43 PM 7040]

S1 atitray;atitray;\??\c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys --> c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys [?]

S2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [8/3/2009 11:16 PM 12288]

S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [8/4/2009 8:47 PM 112624]

S3 IS360service;IS360service;d:\program files\IObit\IObit Security 360\is360srv.exe [6/27/2010 11:52 PM 312152]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\75.tmp --> c:\windows\system32\75.tmp [?]

S3 OSBIBZ;OSBIBZ;c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe --> c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe [?]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 12872]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - NMSCFG

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://centurylink.net

uInternet Settings,ProxyOverride = local

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\rw\Application Data\Mozilla\Firefox\Profiles\iqdkydo9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-05 21:27

Windows 5.1.2600 Service Pack 3 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\75.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1645522239-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"jakebdimdcjadjmkdhlg"=hex:62,61,67,6f,00,00

"jakebdimdcjadjmkdhpg"=hex:62,61,64,69,00,00

"iakfciigfidfkkhkni"=hex:6b,61,6c,6f,6b,63,69,68,69,63,66,6d,6d,63,62,66,6d,63,

69,65,69,69,00,00

"haahaigammbphknc"=hex:6b,61,6c,6f,6b,63,6a,68,66,62,61,69,70,70,66,6c,67,64,

6a,6f,69,70,00,00

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c016\6&24e83e2c&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(804)

d:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(3192)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Alwil Software\Avast4\aswUpdSv.exe

d:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\System32\GEARSec.exe

c:\windows\System32\NMSSvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

d:\program files\Alwil Software\Avast4\ashMaiSv.exe

d:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\outlook express\msimn.exe

.

**************************************************************************

.

Completion time: 2010-07-05 21:30:13 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-06 01:30

ComboFix2.txt 2010-07-01 01:11

ComboFix3.txt 2010-07-01 00:51

 

Pre-Run: 8,191,410,176 bytes free

Post-Run: 8,399,749,120 bytes free

 

- - End Of File - - C7E3A2A11D072A88DA184FF1D8EA3819

Link to comment
Share on other sites

Could not get rid of that O23. I am thinking maybe I should reinstall the monitor sw (that was from an LG driver) and then uninstall. Maybe something is stuck?

Don't to anything with it for the moment. It's nothing serious. We were instructed to fix anything in HJT with a (file missing) tag. There are some other things I have to consult with my boss in the ComboFix log. I thinks he's away on vacation so I get to him when he gets back. Just keep watching this topic and I get back to you. Thanks

Link to comment
Share on other sites

To give an update. All seems ok, with the exception of shutting down.

The machine logs out and sits on the last screen (basically a colored background) for about 2 minutes. I hear the HDD doing something. Then it shuts down.

Link to comment
Share on other sites

Ok. My laptop with Vista takes a lot longer to shut down than my pc with XP. Not sure why. I suppose there's more stuff to save. Let's do some clean-up

 

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.

* Now type commy /uninstall in the runbox

* Make sure there's a space between commy and /Uninstall

* Then hit Enter

 

* The above procedure will:

* Delete the following:

* ComboFix and its associated files and folders.

* Reset the clock settings.

* Hide file extensions, if required.

* Hide System/Hidden files, if required.

* Set a new, clean Restore Point.

 

==============================

 

Download OTC by OldTimer and save it to your desktop.

 

1. Double-click OTC to run it.

2. Click the CleanUp! button.

3. Select Yes when the "Begin cleanup Process?" prompt appears.

4. If you are prompted to Reboot during the cleanup, select Yes

5. OTC should delete itself once it finishes, if not delete it yourself.

 

=================================

 

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

 

Double-click TFC.exe to run it.

 

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

 

TFC will close all programs when run, so make sure you have saved all your work before you begin.

 

* Click the Start button to begin the cleaning process.

* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.

* Please let TFC run uninterrupted until it is finished.

 

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

 

=================================

 

Looking over your log it seems you don't have any evidence of a third party firewall.

 

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

 

Remember only install ONE firewall

 

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)

2) Online Armor

3) Agnitum Outpost

4) PC Tools Firewall Plus

 

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

 

=================================

 

Use the Secunia Software Inspector to check for out of date software.

 

•Click Start Now

 

•Check the box next to Enable thorough system inspection.

 

•Click Start

 

•Allow the scan to finish and scroll down to see if any updates are needed.

•Update anything listed.

.

----------

 

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...