Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer

Removed Trojan.Win32/BHO Yesterday


John D.

Recommended Posts

Hi John,

 

Sorry to hear about the computer not starting properly. When you say you had to use "Restore", you mean "Last known good configuration", right ?

About the ComboFix log : you will not find a Find3M report on your computer because that one is part of the ComboFix.txt file (log) produced by ComboFix. If you cannot find a "ComboFix.txt" file on the C: drive directly, then ComboFix didn't complete it's run. But you said in an earlier post that you had found the log, so it seems you do have it. Just open "My Computer" and double-click on the "C:" drive, then look for this "ComboFix.txt" file. If you find it and it doesn't contain more than what you posted earlier *or* if you can't find the file at all, then please do this :

 

1) Disable your Avast antivirus

**Edit to add : please disable the protection within IS360 and ASC as well ; they may be interfering with ComboFix**

2) Double-click on the ComboFix icon (Desktop) to launch another full run

3) You may get a message that a new version is available : if so, go ahead and get the new version. It will start automatically.

4) Allow ComboFix to run without doing anything else on the computer. Give it 30 minutes if it seems slow to complete.

5) Once complete, copy/paste the log, which will be saved on your computer at "C:\ComboFix.txt" again.

 

*Do not run ASC or any other registry cleaner until we are done cleaning the nasties, please.

 

Good luck :wink:

Link to comment
Share on other sites

Hello,

Yes, you are correct. One of the two options listed was to Restore the "Last known good configuration" as the normal bootup failed several attempts.

 

I did send all of the data listed in the ComboFix.txt file. Then I did a search for other things thinking it might be another type report generated. I did recheck the log file and there is nothing there except what I copied and pasted to you.

 

I did rerun ComboFix following your instructions very carefully. I did need to again download Microsoft Recovery Console. Did download and updated to new version.

 

It did run and everything appeared normal. After about 6 minutes a screen appeared with title Preparing Log Report Do not run any program until Combo Fix has finished. This time I wanted for one hour and then X'ed out of the program but was unable to find a report.

 

I did use Advanced System Care Start up Manager to not start anything due to the anticipated shutdown required by ComboFix. Prior to running it. I exited the three programs as suggested. In regards to Avast I did say not to start up for one hour. However, it did startup after the boot. I did shut it down immediately. Perhaps, a problem. I do not know. I tried.

 

Sorry that I did run Advanced System Care this morning. It was sort of by habit but did not consider it a problem. Now I know and will not run any Viral protection programs until directed. I hope I do not mess up again.

 

Thanks. I will be awaiting you next instructions. I am pleased with everything especially since it appears we are making good progress.

 

John D.

Link to comment
Share on other sites

Thanks for the info, John :wink:

 

So something is hindering ComboFix from completing, obviously. I can't pinpoint it from here, so let's try something else :

 

- Run ComboFix from Safe Mode this time around. To do this, restart your computer and start tapping the F8 key once the BIOS page is visible onscreen. You should get a menu with boot options : select "Safe Mode" and then choose your usual account. Once in Safe Mode, launch ComboFix again et let it run to (hopefully) completion. Paste the log here, if it is produced. It's possible that the log will be too large for one post, so split it up in 2 or 3 replies, if needed.

 

I'll be out for several hours and will check back as soon as possible.

 

Good luck :smile:

 

===

Link to comment
Share on other sites

Hi So_Sad,

 

Perhaps some success. I followed your instructions and ran ComboFix in safe mode. Below is the results.

 

I was unable to download the Microsoft Console when request as I was unable to get on line in Safe Mode.

 

Program ran about 9 minutes and took just a few minutes to prepare the below report.

 

Thanks,

John D.

 

 

 

 

 

 

 

[ComboFix 11-01-06.06 - Owner 01/07/2011 18:23:26.3.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.684 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll

 

.

((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))

.

 

2011-01-07 15:39:36 . 2011-01-07 15:39:36 -------- d-----w- C:\Documents and Settings\All Users\Application Data\McAfee

2011-01-04 04:18:01 . 2011-01-04 04:18:01 -------- d-sh--w- C:\Documents and Settings\NetworkService\IETldCache

2011-01-03 17:21:39 . 2011-01-03 17:21:39 -------- d-sh--w- C:\Documents and Settings\Owner\IECompatCache

2011-01-03 17:20:10 . 2011-01-03 17:20:10 -------- d-sh--w- C:\Documents and Settings\Owner\PrivacIE

2011-01-03 17:16:50 . 2011-01-03 17:16:50 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache

2011-01-03 17:16:10 . 2011-01-03 17:16:10 -------- d-sh--w- C:\Documents and Settings\Owner\IETldCache

2011-01-03 17:07:51 . 2010-10-18 11:10:56 7680 -c----w- C:\WINDOWS\system32\dllcache\iecompat.dll

2011-01-03 17:04:49 . 2010-11-06 00:26:58 12800 -c----w- C:\WINDOWS\system32\dllcache\xpshims.dll

2011-01-03 17:04:44 . 2010-11-06 00:26:57 247808 -c----w- C:\WINDOWS\system32\dllcache\ieproxy.dll

2011-01-03 17:04:42 . 2010-11-06 00:26:57 743424 -c----w- C:\WINDOWS\system32\dllcache\iedvtool.dll

2011-01-03 17:01:53 . 2011-01-03 17:04:28 -------- dc-h--w- C:\WINDOWS\ie8

2010-12-28 00:53:09 . 2010-12-28 00:53:09 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla

2010-12-27 15:10:08 . 2010-12-27 15:09:49 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl

2010-12-25 17:23:10 . 2010-12-25 17:23:10 -------- d-----w- C:\Program Files\Common Files\Java

2010-12-25 17:22:47 . 2010-12-27 15:09:48 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll

2010-12-19 16:29:32 . 2010-12-19 16:29:32 -------- d-----w- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com

2010-12-19 16:29:32 . 2010-12-19 16:29:32 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2010-12-19 16:29:16 . 2010-12-19 16:29:40 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2010-12-17 21:57:00 . 2010-12-17 21:57:00 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth

2010-12-16 03:34:50 . 2010-11-02 15:17:02 40960 -c----w- C:\WINDOWS\system32\dllcache\ndproxy.sys

2010-12-16 03:34:15 . 2010-10-11 14:59:30 45568 -c----w- C:\WINDOWS\system32\dllcache\wab.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 23:09:00 . 2010-07-17 19:02:50 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08:40 . 2010-07-17 19:02:48 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2010-11-18 18:12:44 . 2008-11-06 17:02:42 81920 ----a-w- C:\WINDOWS\system32\isign32.dll

2010-11-06 00:26:58 . 2008-11-06 17:07:22 916480 ----a-w- C:\WINDOWS\system32\wininet.dll

2010-11-06 00:26:58 . 2008-11-06 17:04:16 43520 ------w- C:\WINDOWS\system32\licmgr10.dll

2010-11-06 00:26:58 . 2008-11-06 17:02:37 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl

2010-11-05 16:16:13 . 2009-10-27 16:01:21 98392 ----a-w- C:\WINDOWS\system32\drivers\SBREDrv.sys

2010-11-03 12:25:54 . 2008-11-06 17:02:29 385024 ------w- C:\WINDOWS\system32\html.iec

2010-11-02 15:17:02 . 2008-11-06 17:05:16 40960 ----a-w- C:\WINDOWS\system32\drivers\ndproxy.sys

2010-10-28 13:13:22 . 2008-11-06 17:00:26 290048 ----a-w- C:\WINDOWS\system32\atmfd.dll

2010-10-26 13:25:00 . 2008-11-06 17:07:18 1853312 ----a-w- C:\WINDOWS\system32\win32k.sys

2002-07-29 03:40:00 . 2007-05-22 20:20:54 1059840 ----a-w- C:\Program Files\DS_Bonus_Plugin.8bf

2001-04-02 20:31:14 . 2009-06-04 12:33:56 550602 ----a-w- C:\Program Files\EyeCand3.8bf

2001-04-02 20:22:50 . 2009-06-04 12:33:56 409600 ----a-w- C:\Program Files\EC3-ENG.8BF

1999-06-25 14:56:04 . 2009-06-04 12:33:56 127184 ----a-w- C:\Program Files\UNWISE.EXE

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21:41 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

 

R0 crpf;crpf;C:\WINDOWS\system32\drivers\crpf.sys [3/11/2009 7:45:26 PM 36512]

R0 csdf;cdsf;C:\WINDOWS\system32\drivers\csdf.sys [3/11/2009 7:45:26 PM 39456]

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [6/4/2009 10:53:15 AM 40368]

S0 Lbd;Lbd;C:\WINDOWS\system32\DRIVERS\Lbd.sys --> C:\WINDOWS\system32\DRIVERS\Lbd.sys [?]

S1 aswSP;aswSP;C:\WINDOWS\system32\drivers\aswSP.sys [11/17/2010 11:28:57 AM 165584]

S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25:48 PM 12872]

S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41:30 PM 67656]

S1 soqwx32;soqwx32; [x]

S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [11/17/2010 11:28:58 AM 17744]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16:28 PM 130384]

S2 gupdate1c9895919cebd66;Google Update Service (gupdate1c9895919cebd66);C:\Program Files\Google\Update\GoogleUpdate.exe [2/7/2009 2:20:12 PM 133104]

S2 IS360service;IS360service;C:\Program Files\IObit\IObit Security 360\is360srv.exe [12/17/2010 10:39:34 AM 312152]

S2 TomTomHOMEService;TomTomHOMEService;C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 9:41:38 AM 92008]

S3 dsiarhwprog;dsiarhwprog;C:\WINDOWS\system32\drivers\dsiarhwprog.sys [12/25/2009 1:13:17 PM 29184]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [11/14/2008 7:02:27 PM 29744]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16:28 PM 753504]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - MDMXSDK

.

Contents of the 'Scheduled Tasks' folder

 

2011-01-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

 

2011-01-07 C:\WINDOWS\Tasks\Google Software Updater.job

- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-14 19:14:11 . 2009-03-24 16:43:32]

 

2011-01-07 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-07 19:20:12 . 2009-02-07 19:20:08]

 

2011-01-07 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-07 19:20:12 . 2009-02-07 19:20:08]

 

2011-01-07 C:\WINDOWS\Tasks\Paragon HDD copy.job

- C:\Program Files\Program\schedule_launch.exe [2009-06-04 15:52:59 . 2008-12-01 17:46:54]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Download All using 4shared Desktop - C:\Program Files\4shared Desktop\down_all.htm

IE: &Download using 4shared Desktop - C:\Program Files\4shared Desktop\down_link.htm

IE: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

Trusted Zone: ameritrade.com\wwws

Trusted Zone: java.com\www

Handler: gameboxchrome - {494D4E3B-FA53-4487-8AF6-3F50FE1167A9} - C:\Program Files\GameBox\gamebox_toolbar.dll

FF - ProfilePath - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\roib9uj9.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - C:\Program Files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

 

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)

AddRemove-TopStyle Lite (Version 3.0) - C:\WINDOWS\unlite3.exe

AddRemove-AmphiSoft plug-in filters DEMO - C:\Program Files\AmphiSoft Demo\uninstall.exe

 

 

/B]

Link to comment
Share on other sites

Success indeed !

 

Nice full run there John. Good work :-)

 

Ok, I think I may see what was causing ComboFix to fail in Normal mode. You have a program installed named "COMODO System Cleaner", which has a registry protection module running deep. I had not come across that program on machines until now, so I didn't spot it as a potential problem earlier.

 

Can you do me a big favor and uninstall that program completely, please ? Once uninstalled, try ComboFix again, but from Normal mode this time. By the way, registry cleaners can be dangerous, so I don't like them much. You use two powerful ones right now : ASC Pro and Comodo System Cleaner ; I'll tell you more on this subject as we make progress.

 

Don't forget to disable Avast and ASC before you launch ComboFix again. If ComboFix asks you to download an updated version, please do, and go for the Recovery Console install again. Show me the log it produces, if all goes well. If ComboFix still has problems in Normal mode, I'll have something else to look into.

 

See you soon !

 

===

Link to comment
Share on other sites

Greetings So_Sad and Good Morning from here,

 

I followed your instructions and deleted Comodo System Cleaner, I have had and used for many years. No problem. One is enough. And, as you said, and I do recognize that Registry cleaners can be dangerous.

 

One note: Perhaps I was not completely exiting Avast as ComboFix notified me that scanner was in operation. I did turn off all scanners this time. Perhaps the report log program but of course I don't know.

 

It went real fast this time. Scan was 5 minutes or less. Waited for a few second after being notified that a report was being generated then the blinking cursor appeared. Within two minutes or so the report appeared on desktop with notification were it was saved.

 

John D.

 

 

 

ComboFix 11-01-07.01 - Owner 01/08/2011 7:56.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.481 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((( Files Created from 2010-12-08 to 2011-01-08 )))))))))))))))))))))))))))))))

.

 

2011-01-07 15:39 . 2011-01-07 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-01-04 04:18 . 2011-01-04 04:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-01-03 17:21 . 2011-01-03 17:21 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2011-01-03 17:20 . 2011-01-03 17:20 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2011-01-03 17:16 . 2011-01-03 17:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-01-03 17:16 . 2011-01-03 17:16 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2011-01-03 17:07 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-01-03 17:04 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-01-03 17:04 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-01-03 17:04 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-01-03 17:01 . 2011-01-03 17:04 -------- dc-h--w- c:\windows\ie8

2010-12-28 00:53 . 2010-12-28 00:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

2010-12-27 15:10 . 2010-12-27 15:09 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-12-25 17:23 . 2010-12-25 17:23 -------- d-----w- c:\program files\Common Files\Java

2010-12-25 17:22 . 2010-12-27 15:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-12-19 16:29 . 2010-12-19 16:29 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2010-12-19 16:29 . 2010-12-19 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-12-19 16:29 . 2010-12-19 16:29 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-12-17 21:57 . 2010-12-17 21:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2010-12-16 03:34 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-16 03:34 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 23:09 . 2010-07-17 19:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2010-07-17 19:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2008-11-06 17:02 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2008-11-06 17:07 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2008-11-06 17:04 43520 ------w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2008-11-06 17:02 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-05 16:16 . 2009-10-27 16:01 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-11-03 12:25 . 2008-11-06 17:02 385024 ------w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2008-11-06 17:05 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2008-11-06 17:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2008-11-06 17:07 1853312 ----a-w- c:\windows\system32\win32k.sys

2002-07-29 03:40 . 2007-05-22 20:20 1059840 ----a-w- c:\program files\DS_Bonus_Plugin.8bf

2001-04-02 20:31 . 2009-06-04 12:33 550602 ----a-w- c:\program files\EyeCand3.8bf

2001-04-02 20:22 . 2009-06-04 12:33 409600 ----a-w- c:\program files\EC3-ENG.8BF

1999-06-25 14:56 . 2009-06-04 12:33 127184 ----a-w- c:\program files\UNWISE.EXE

.

 

((((((((((((((((((((((((((((( SnapShot@2011-01-07_23.32.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-01-08 12:37 . 2011-01-08 12:37 16384 c:\windows\temp\Perflib_Perfdata_300.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

 

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [6/4/2009 10:53 AM 40368]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/17/2010 11:28 AM 165584]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/17/2010 11:28 AM 17744]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 9:41 AM 92008]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S1 soqwx32;soqwx32; [x]

S2 gupdate1c9895919cebd66;Google Update Service (gupdate1c9895919cebd66);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2009 2:20 PM 133104]

S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/17/2010 10:39 AM 312152]

S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [12/25/2009 1:13 PM 29184]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/14/2008 7:02 PM 29744]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

 

2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

 

2011-01-08 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-14 16:43]

 

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 19:20]

 

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 19:20]

 

2011-01-08 c:\windows\Tasks\Paragon HDD copy.job

- c:\program files\Program\schedule_launch.exe [2009-06-04 17:46]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Download All using 4shared Desktop - c:\program files\4shared Desktop\down_all.htm

IE: &Download using 4shared Desktop - c:\program files\4shared Desktop\down_link.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

Trusted Zone: ameritrade.com\wwws

Trusted Zone: java.com\www

Handler: gameboxchrome - {494D4E3B-FA53-4487-8AF6-3F50FE1167A9} - c:\program files\GameBox\gamebox_toolbar.dll

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\roib9uj9.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

 

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-08 08:01

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

 

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{32D2B100-2CB7-6778-62ED-FBE44967B874}\InProcServer32*]

"gajipoelhmpocm"=hex:66,61,68,66,6c,62,67,6f,69,6c,67,67,00,00

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="REMOVED"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(1324)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

.

Completion time: 2011-01-08 08:03:48

ComboFix-quarantined-files.txt 2011-01-08 13:03

 

Pre-Run: 186,635,665,408 bytes free

Post-Run: 186,651,099,136 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

 

- - End Of File - - F8D632F84E8EDB2C629E41F56111C337

Link to comment
Share on other sites

A good run in Normal mode, finally :smile:

 

Good job there John. I do believe it was that Comodo utility though. No matter, it's sorted now.

 

Just a few leftovers to clean up and you should be good to go :

===

 

Disable Avast and ASC so they do not interfere with the running of ComboFix.

 

Open a new Notepad file and click on the "Format" menu, then make sure "Word Wrap" is unckecked. Next, copy/paste the text in the Code box below into the empty file (without the word "Code"):

 

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

Driver::
Lbd
soqwx32

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{32D2B100-2CB7-6778-62ED-FBE44967B874}\InProcServer32*]

 

Save this as CFScript.txt on your Desktop. Spelling must be accurate on the name (but it is not case sensitive).

 

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

 

 

> Referring to the picture above, drag CFScript into ComboFix.exe

> If you are prompted to download a new version of ComboFix, please allow it.

> ComboFix will be launched and it will do a complete run, so please be patient.

 

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

===

===

 

You should also get the latest version of Adobe Reader and install it as soon as possible ; old versions have vulnerabilities that are exploited by malware so we need to keep the program updated at all times. Current version is 10 (they call it "version X" < Roman numeral). This is the link :

http://get.adobe.com/reader/

**Be careful when downloading and installing, as Adobe now pushes third party applications that are unneeded (to say the least...), like McAfee Security Scan or browser toolbars. Just pay attention and untick all options offered, as you only want "Reader" installing. When installing the new version, the older version will be uninstalled automatically for you.

 

Scans are picking up a hook on your Master Boot Record. From what I can see, it's a false alarm caused by the Paragon utility ; if you are not experiencing redirects while browsing, then it's definitely a false positive.

 

Are you seeing any signs of infections still ? No more spam emails to your contacts ?

 

Try Windows Update again and let me know if you can update IE8 now.

 

Oh and don't forget to copy/paste that latest ComboFix log as well :wink:

 

 

See you soon !

===

Link to comment
Share on other sites

Grettings So_Sad,

 

I attempted to follow your instrtuctions with the resulting log pasted below. I think everything went well except was not sure if I should attempt to install Adobe Reader X and update critical updates prior to running ComboFix.

 

I did elect to go with updating and did complete the Reader update and then decided maybe that is not what I am suppose to do. Sorry, if I messed up again. I know I did with updating even after your warning but somehow I allowed McAfee Security Scan (what a good trick) to download. Will uninstall.

 

I will now try and update critical updates and let you know how that goes with a new post to this thread.

 

If it will help in any way then I will be glad to uninstall Paragon. It is the free version which I am not currently using as I currently don't have my external hard drive connected.

 

No, I am not seeing any signs of infection. No more spam emails have been sent to my contacts since we started working on cleanning up the malware.

 

Thanks again for your help. Will be back in touch soon.

 

John D.

 

 

 

 

ComboFix 11-01-08.04 - Owner 01/09/2011 8:10.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.519 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_LBD

-------\Service_Lbd

-------\Service_soqwx32

 

 

((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))

.

 

2011-01-09 13:00 . 2011-01-09 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2011-01-09 13:00 . 2011-01-09 13:00 -------- d-----w- c:\program files\McAfee Security Scan

2011-01-09 13:00 . 2011-01-09 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2011-01-09 13:00 . 2011-01-09 13:00 -------- d-----w- c:\program files\NOS

2011-01-07 15:39 . 2011-01-07 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-01-04 04:18 . 2011-01-04 04:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-01-03 17:21 . 2011-01-03 17:21 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2011-01-03 17:20 . 2011-01-03 17:20 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2011-01-03 17:16 . 2011-01-03 17:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-01-03 17:16 . 2011-01-03 17:16 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2011-01-03 17:07 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-01-03 17:04 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-01-03 17:04 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-01-03 17:04 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-01-03 17:01 . 2011-01-03 17:04 -------- dc-h--w- c:\windows\ie8

2010-12-28 00:53 . 2010-12-28 00:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

2010-12-27 15:10 . 2010-12-27 15:09 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-12-25 17:23 . 2010-12-25 17:23 -------- d-----w- c:\program files\Common Files\Java

2010-12-25 17:22 . 2010-12-27 15:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-12-19 16:29 . 2010-12-19 16:29 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2010-12-19 16:29 . 2010-12-19 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-12-19 16:29 . 2010-12-19 16:29 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-12-17 21:57 . 2010-12-17 21:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2010-12-16 03:34 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-16 03:34 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 23:09 . 2010-07-17 19:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2010-07-17 19:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2008-11-06 17:02 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2008-11-06 17:07 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2008-11-06 17:04 43520 ------w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2008-11-06 17:02 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-05 16:16 . 2009-10-27 16:01 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-11-03 12:25 . 2008-11-06 17:02 385024 ------w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2008-11-06 17:05 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2008-11-06 17:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2008-11-06 17:07 1853312 ----a-w- c:\windows\system32\win32k.sys

2002-07-29 03:40 . 2007-05-22 20:20 1059840 ----a-w- c:\program files\DS_Bonus_Plugin.8bf

2001-04-02 20:31 . 2009-06-04 12:33 550602 ----a-w- c:\program files\EyeCand3.8bf

2001-04-02 20:22 . 2009-06-04 12:33 409600 ----a-w- c:\program files\EC3-ENG.8BF

1999-06-25 14:56 . 2009-06-04 12:33 127184 ----a-w- c:\program files\UNWISE.EXE

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

 

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [6/4/2009 10:53 AM 40368]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/17/2010 11:28 AM 165584]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/17/2010 11:28 AM 17744]

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/17/2010 10:39 AM 312152]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 9:41 AM 92008]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate1c9895919cebd66;Google Update Service (gupdate1c9895919cebd66);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2009 2:20 PM 133104]

S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [12/25/2009 1:13 PM 29184]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/14/2008 7:02 PM 29744]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [11/6/2008 12:06 PM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

 

2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

 

2011-01-09 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-14 16:43]

 

2011-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 19:20]

 

2011-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 19:20]

 

2011-01-09 c:\windows\Tasks\Paragon HDD copy.job

- c:\program files\Program\schedule_launch.exe [2009-06-04 17:46]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Download All using 4shared Desktop - c:\program files\4shared Desktop\down_all.htm

IE: &Download using 4shared Desktop - c:\program files\4shared Desktop\down_link.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

Trusted Zone: ameritrade.com\wwws

Trusted Zone: java.com\www

Handler: gameboxchrome - {494D4E3B-FA53-4487-8AF6-3F50FE1167A9} - c:\program files\GameBox\gamebox_toolbar.dll

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\roib9uj9.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-09 08:17

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

 

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{32D2B100-2CB7-6778-62ED-FBE44967B874}\InProcServer32*]

"gajipoelhmpocm"=hex:66,61,68,66,6c,62,67,6f,69,6c,67,67,00,00

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="REMOVED"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(8692)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Program\scripts.exe

c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\PSIService.exe

c:\windows\system32\fxssvc.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2011-01-09 08:21:55 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-09 13:21

ComboFix2.txt 2011-01-08 13:03

 

Pre-Run: 186,058,964,992 bytes free

Post-Run: 186,051,833,856 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

 

- - End Of File - - E6FBF45F422F4194EED0F6C5F3BB04AE

Link to comment
Share on other sites

Back again to you So-Sad,

 

I am set to receive Critical and Security update from Microsoft Automatically. I have received 8 since yesterday. The four that would not update automatically all related to Net Framework. I did go to the Microsoft update site and it indicated that I needed four (the four that I have been trying to update). I installed and the site said that I have updated (now 12 listed as being installed since yesterday). When I go back in it indicates I need 4 but they are listed at o time for download and 0 bytes. I think to the best of my knowledge and belief, I have all current critical and security updates.

 

I await your instruction on what I should do next.

 

John D.

Link to comment
Share on other sites

Good morning John :smile:

 

That was well executed once again ! Don't worry about updating Adobe Reader prior to running ComboFix ; it's fine. About that McAfee Security scan : hahaha, I got nailed with it too, some months ago when they started pushing it :mrgreen: It's merely an annoyance, which can be uninstalled easily via Control Panel (Add/Remove programs).

 

You may certainly keep the Paragon program. It's wise to have a backup solution, and I'm not worried about the Master Boot Record detection.

 

I'm not sure what's going on with the Windows Update situation but, as you've stated, all appears up to date so let's leave it at that. If you ever get errors in the future, then I'd advise you look into it.

 

And... we're done ! Just some cleanup to do :

 

1) Click on "Start", then on "Run..." and copy/paste (or type exactly as shown) the line in bold below and click "OK" :

 

ComboFix /uninstall

(notice the space after "ComboFix")

 

A progress bar will show briefly, then ComboFix will be uninstalled completely.

 

2) To remove the other tools, please download OTC from the following link and save it to your Desktop :

http://oldtimer.geekstogo.com/OTC.exe

 

- Double-click OTC.exe to run the program

- Click the "Cleanup!" button, then click "Yes" at the "Begin cleanup process" prompt.

- OTC should restart your computer to finish the task ; if it does not restart, please restart it manually.

 

===

 

Do you do any banking online, John ? If so, I need to advise you that keyloggers and other backdoor infections may allow the pirates to retrieve sensitive info from your machine, like bank account numbers, PINs, credit card numbers, etc... If you do bank online, it would be wise to contact the institution(s) and inform them that your computer was infected with a keylogger. They may decide to give you new accounts, or whatever their internal protocol suggests.

Same goes for all your online passwords and usernames, which may have been compromised/harvested ; you should consider changing them as well.

 

If you have any questions, don't hesitate to ask ;-)

 

Be safe out there, always.

 

===

===

Link to comment
Share on other sites

Greetings So_Sad

 

First, I do want to thank you again for your expert help and guidance. I sure appreciate. You did great. I will try "pass it forward" what you gave in some way to someone else.

 

I followed everything as instructed on your last message. I am back to normal less malware. Thanks.

 

However, I am concerned about the .Net Framework updates (Kb979909, Kb982168, Kb983583, and Kb2418241. I am now sure (more than unsure before) the updates never happened. The four are in notice icon on my system tray but will not "stick". Everything appears normal. Did go to the Microsoft Update site and asked for what security and critical updates I needed and the site informed me that I needed four which has been downloaded to my computer. I am not exactly sure how important these are for my safety but I always think security and critical updates are very important. Did check my Control Panel from install/unistalled and could not find and therefore assume they have not been used to update.

 

I am concerned enough about safety and security that I will start immediately to change my password for all sites. I may also change my user name. I do banking and handle lots of things that others should not know (stocks and IRA's, etc.).

 

Also, now that this computer appears clean is it a good idea to get my wife's tested. It does not show a problem but like this one have used various programs to remove malware over the years but I am sure (probably) the leftover stuff might be or could cause a problem.

 

I do have a Win7 hooked up to the Internet. It shares a connection (unless I changed which one shares) with this computer. The both share a common Monitor via a switch. I have had many month but not using yet.

 

There are 3 more Computers but not currently hooked up to the Internet. I do have that can easily be set up with monitor in place. I will wait now until this situation is under control.

 

Also, would gladly accept your recommendations on what I should do to prevent this from happening in the future. Do have grandkids (a 4, 10, and 15 year old) that loves to use my computers from time to time. Also, wife, daughter, and son-law uses them. Even guest think they should be able to use. Do I have sufficient programs to prevent and to detect and handles malware? I know it is amost impossible and I have been lucky for many years and now realize I did not place as much importance in security as I should have.

 

I could go on but will end for now. Sorry, I make the message so long. Thanks for your understanding.

 

John D.

Link to comment
Share on other sites

Hi John :smile:

 

You're welcome ! I'm glad I could help with your malware issues. Now, about those .Net Framework updates : I understand your concerns, and will try to help you sort them out. I also understand about the whole security issues with the computers you have, so we'll address those as well.

 

First, the .Net Framework situation : I've researched this a bit and have found that many have had these problems, meaning updates that just keep coming back. From the many topics I've read, the common cause factor appears to be corruption, somewhere in the .Net Framework structure. Could be just one or two files, but this doesn't allow the package to install updates. The main cause of corruption appears to be related to infections. Another possible cause : registry guards, which you have (ASC, Comodo...). In your case, it could be infection related or something to do with the Comodo utility you had, or possibly ASC, I don't know...

 

Of all the successful fixes I've found, one sticks out as most effective : remove everything .Net related with a special tool, then let Windows Update re-install everything. This hasn't worked for everybody, but it does appear to be the most effective. If that doesn't work for you, we'll try something else. Here's what you need to do :

 

- Download the "dotnetfix_cleanup_tool" from this next link and save it to your Desktop (click on the little yellow folder) :

http://cid-27e6a35d1a492af7.skydrive.live.com/self.aspx/Blog_Tools/dotnetfx_cleanup_tool.zip

 

- It's a .zip file, so right-click on it and choose "Extract all". A new folder will be created on your Desktop.

 

- Open this new folder and double-click on "cleanup_tool.exe" to run the utility.

 

- Once the tool has loaded, choose ".NET Framework – All Versions " and then click the "Cleanup Now" button.

 

- If a reboot is required by the tool, please allow it.

 

- Next : before going to Windows Update again, disable Avast and ASC, as we want no interference from any security programs. Get all the necessary/available updates, including all needed .Net Framework components and updates.

 

Let me know how it went.

 

Fingers crossed :wink:

 

===

Link to comment
Share on other sites

Greeting So_Sad,

 

Followed your intstructions relating to the .net framework issues. I am very happy with the results. I am certain the four kb's loaded that have been failing to load.

 

I followed instructions. Make sure my anti-virus stuff was not working and then went to the Microsoft Download site. Did a check of what I had missing thinking I would need to install the four at best. However, it said I did not need anything. I review my download history and the first four of the list were the one mentioned in my last message to you. They were loaded on Monday. Somehow the tool enable the four that have been trying to load into the system to load.

 

Thanks again. Wonderful. I am happy. I now wonder why I was reluctant to update to IE 8. My bad! I have not noticed anything not working in the my work (Rich Text Emails) that I do. It seems even faster and better.

 

I did run run Advanced Window System, I0bit360, and SuperAntiSpy...FreeEdition, Avast, and Malwarebytes AntiMalware on my other computer (wife's) this morning - all indicated clean. However, I ran Avast from boot mode and it indicated one file was infected (msocache\alluser\00000409-6000-1103-8CFE-0150048383C9\L2562412 CABIFinder.Exe infected by win32: malware-gen. I did chest it and then deleted. I reran and no indicated problems on either computer.

 

I am feeling confident. What a relief being confident that mailed ads for whatever with my recommendation for purchase are not going out to my friends and relatives.

 

I have started changing everthing over to new passwords. Question; Do I still have a line of defense with personal verfication question being asked before a user can access my password protected sites.

 

Thanks and Thanks,

John D.

Link to comment
Share on other sites

Hello John :grin:

 

Well... that's great news ! Although I must admit it is a bit of a surprise to me, concerning .Net Framework. A surprise because I was under the impression the tool would totally remove .Net applications. The tool's creator may have coded some tweaks into it recently, allowing it to "repair" instead of removing everything. Either way, it's great news, and am happy it worked for you. I'm sure you'll keep an eye on future updates and perhaps report back, if anything strange occurs again. I'll be listening, haha.

 

About your wife's computer : with the tools you've run, I can only assume all is well. The main thing to look for when infections are suspected : symptoms. Symptoms include browser redirects, fake security warnings, unsolicited popups, detections from your security tools and there are a few more although less frequent, including the symptoms you had on your machine (sent spam emails...).

 

I have to go, but I will get back to you later this evening, hopefully, so that we can discuss securing your computers.

 

Back as soon as I can ;-)

 

===

===

Link to comment
Share on other sites

Hi guys,

 

Please correct me if I'm wrong but earlier I have counted about 130 Restore points and I have not seen them deleted.

 

If they have not been deleted during the various clean ups, I would strongly suggest deleting all of them (security point of view) and then creating a new one after making sure that the PC is operating as expected.

 

IMHO, a defragmentation after all this installing, uninstalling, reinstalling, and cleaning will certainly speed up all processes including start up.

 

Cheers.

Link to comment
Share on other sites

Hi So_Sad,

 

Thanks for you input. I was expecting the same thing but only because of your explanation. I guess that is the reason that I told you what happened (the way I saw it).

 

From an operational view my computer is operating great with no unusual activity.

 

Will await any additional advice or instructions.

 

Thanks,

John D.

Link to comment
Share on other sites

Greetings Enoskype,

 

Glad to see you again. Not sure about the Restore points. It does seem that I did lots of them. Computer appears to be working great. Of course I would like to have it work even better.

 

Will await further instructions.

 

Thanks for the interest,

John D.

Link to comment
Share on other sites

  • 3 weeks later...

Hello John,

 

Some unexpected events have kept me away from the keyboard.

 

Although we were able to complete the malware removing process (that's good), we do have unfinished business as far as discussing security on your machine(s) and I'm willing to continue, if you are still interested and still around lol. My online time is limited but I should have a spare moment every day from now on.

 

Will check back here periodically for your reply.

 

===

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...