Jump to content


Photo

Multiple attempts (that are blocked) to access dangerous sites


  • This topic is locked This topic is locked
29 replies to this topic

#1 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 31 March 2009 - 11:43 AM

Hello,

I have read and followed FAQ. My comp is constantly trying to access websites of known mal/spyware whenever I enable my internet, which are blocked/not allowed by Webroot. Running Webroot in mormal mode takes days, but in safe mode takes normal time (one and a half hours)....but only finds "potentially rootkit-masked registry," but it can not quarantine it. I will post the report....but wonder if that is a false posative. MBAM is negative. SAS is negative. S&D is negative. Another forum site instructed me to run ComboFix, which deleted one item, but did not solve the issue. Was not getting anywhere after 10 days, so came here for help. (I'm not faulting them, I know everybody is busy...and I truly appreciate everyone's efforts to help.)

Here, I ran Kaspersky, BitDefender and F-Secure. See logs below. As you will see, BitDefender found a Trojan and deleted it. I will be (attempting) to remove the finding by Kaspersky.

Any other things you see, or other scans I hould run? Thanks.



Webroot log:

3/23/2009 7:24:47 PM: Removal process completed. Elapsed time 00:00:02
3/23/2009 7:24:45 PM: Quarantining All Traces: potentially rootkit-masked registry
3/23/2009 7:24:44 PM: Removal process initiated
3/23/2009 7:24:35 PM: Sweep Status: 1 Item Found
3/23/2009 7:24:35 PM: Traces Found: 1
3/23/2009 7:24:34 PM: Registry Sweep Complete, Elapsed Time:00:00:48
3/23/2009 7:24:27 PM: Sweep Cancelled
3/23/2009 7:24:11 PM: HKLM\SYSTEM\ControlSet004\Enum\PCI\VEN_14E4&DEV_4320&SUBSYS_12F4103C&REV_03\4&253a0906&0&10A4\LogConf || BootConfig (ID = 0)
3/23/2009 7:24:11 PM: Found System Monitor: potentially rootkit-masked registry
3/23/2009 7:23:45 PM: Starting Registry Sweep
3/23/2009 7:23:45 PM: Memory Sweep Complete, Elapsed Time: 00:01:02
3/23/2009 7:22:43 PM: Starting Memory Sweep
3/23/2009 7:22:41 PM: Start Custom Sweep
3/23/2009 7:22:41 PM: Sweep initiated using definitions version 1407
3/23/2009 7:17:36 PM: ApplicationMinimized - EXIT
3/23/2009 7:17:36 PM: ApplicationMinimized - ENTER
3/23/2009 7:17:29 PM: None
3/23/2009 7:17:29 PM: Traces Found: 0
3/23/2009 7:17:28 PM: File Sweep Complete, Elapsed Time: 00:00:31
3/23/2009 7:17:28 PM: Sweep Cancelled
3/23/2009 7:16:57 PM: Starting File Sweep
3/23/2009 7:16:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3/23/2009 7:16:56 PM: Starting Cookie Sweep
3/23/2009 7:16:55 PM: Registry Sweep Complete, Elapsed Time:00:00:51
3/23/2009 7:16:04 PM: Starting Registry Sweep
3/23/2009 7:16:04 PM: Memory Sweep Complete, Elapsed Time: 00:01:05
3/23/2009 7:14:58 PM: Starting Memory Sweep
3/23/2009 7:14:55 PM: Start Custom Sweep
3/23/2009 7:14:55 PM: Sweep initiated using definitions version 1407
3/23/2009 7:13:33 PM: Automated check for program update in progress.
3/23/2009 7:13:32 PM: There is a problem reaching the server. The cause may be in your connection or on the server. Please try again later.
3/23/2009 7:13:32 PM: License Check Status (0): Success
3/23/2009 7:13:00 PM: ApplicationMinimized - EXIT
3/23/2009 7:13:00 PM: ApplicationMinimized - ENTER
3/23/2009 7:12:55 PM: Informational: Loaded AntiVirus Engine: 2.83.3; SDK Version: 4.38E; Virus Definitions: 03/17/2009 23:40:24 (GMT)
3/23/2009 7:12:45 PM: License Check Status (0): Success
3/23/2009 7:12:24 PM: Webroot Software 6.1.0.100 started
3/23/2009 7:12:24 PM: | Start of Session, Monday, March 23, 2009 |
***************



Malwarebytes' Anti-Malware 1.34
Database version: 1855
Windows 5.1.2600 Service Pack 3

3/30/2009 6:33:45 PM
mbam-log-2009-03-30 (18-33-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 148733
Time elapsed: 43 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:38 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\vspc1300.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Philips\Philips SPC1300NC Webcam\TrayMin1300.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [ATIModeChange] "C:\WINDOWS\system32\Ati2mdxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] "C:\WINDOWS\system32\hphmon05.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [SPC1300] "C:\WINDOWS\vspc1300.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-427] "C:\PROGRA~1\Comodo\CBOClean\BOC427.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - Global Startup: TrayMin1300.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\hp\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130273142312
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9089 bytes





ComboFix 09-03-22.01 - hp 2009-03-23 19:58:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1655 [GMT -5:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\hp\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-23 19:37 . 2009-03-23 19:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-23 19:29 . 2009-03-23 19:30 1,339,834 --a------ C:\MGtools.exe
2009-03-19 11:23 . 2009-03-19 11:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 11:20 . 2009-03-19 11:20 <DIR> d-------- c:\documents and settings\hp\Application Data\SUPERAntiSpyware.com
2009-03-19 11:04 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE
2009-03-19 11:04 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb
2009-03-19 11:03 . 2009-03-22 13:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\BOC427
2009-03-19 11:03 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL
2009-03-19 11:02 . 2009-03-23 19:49 9,432 --a------ c:\windows\BOC427.INI
2009-03-19 10:31 . 2009-03-19 10:31 <DIR> d-------- c:\documents and settings\hp\log
2009-03-19 10:31 . 2009-03-19 10:31 153,104 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-17 21:10 . 2009-03-19 01:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-17 21:10 . 2009-03-19 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-16 18:40 . 2009-03-16 18:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-16 18:39 . 2009-03-16 18:39 0 --a------ c:\windows\system32\REN99.tmp
2009-03-16 18:39 . 2009-03-16 18:39 0 --a------ c:\windows\system32\REN98.tmp
2009-03-16 18:39 . 2009-03-16 18:39 0 --a------ c:\windows\system32\REN97.tmp
2009-03-11 15:47 . 2009-03-17 20:40 <DIR> d-------- c:\program files\PlayersOnly Poker
2009-03-07 16:42 . 2001-08-17 23:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-03-07 16:42 . 2001-08-17 23:36 8,704 --a------ c:\windows\system32\dllcache\kbdjpn.dll
2009-03-07 16:42 . 2001-08-17 23:36 8,192 --a------ c:\windows\system32\SET84.tmp
2009-03-07 16:42 . 2001-08-17 23:36 8,192 --a------ c:\windows\system32\SET83.tmp
2009-03-07 16:42 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-03-07 16:42 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-03-07 16:42 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\dllcache\kbd101c.dll
2009-03-07 16:42 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\dllcache\kbd101b.dll
2009-03-07 16:42 . 2001-08-17 15:55 5,632 --a------ c:\windows\system32\kbd103.dll
2009-03-07 16:42 . 2001-08-17 15:55 5,632 --a------ c:\windows\system32\dllcache\kbd103.dll
2009-03-07 16:41 . 2008-04-13 20:09 6,144 --a------ c:\windows\system32\kbd106.dll
2009-03-07 16:41 . 2008-04-13 20:09 6,144 --a------ c:\windows\system32\dllcache\kbd106.dll
2009-03-03 15:13 . 2009-03-03 15:13 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2009-03-03 15:01 . 2006-11-05 21:00 198,656 --a------ c:\windows\system32\CNMLM8O.DLL
2009-03-03 13:50 . 2009-03-19 01:36 <DIR> d-------- c:\program files\DoylesRoom
2009-03-01 13:41 . 2009-03-01 13:41 <DIR> d-------- c:\program files\Common Files\Skype
2009-02-27 00:34 . 2009-03-16 18:39 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-26 23:29 . 2009-02-26 23:29 <DIR> d-------- c:\program files\MSSOAP
2009-02-26 18:16 . 2008-04-13 20:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-02-26 18:16 . 2008-04-13 20:11 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2009-02-26 18:16 . 2008-04-13 14:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-26 18:16 . 2008-04-13 14:39 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2009-02-26 18:16 . 2001-08-17 14:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-02-26 18:16 . 2001-08-17 14:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 00:43 --------- d-----w c:\documents and settings\hp\Application Data\Skype
2009-03-24 00:42 --------- d-----w c:\documents and settings\hp\Application Data\skypePM
2009-03-19 16:02 --------- d-----w c:\program files\COMODO
2009-03-18 02:59 --------- d-----w c:\program files\Enigma Software Group
2009-03-17 23:18 --------- d-----w c:\program files\Full Tilt Poker
2009-03-17 21:12 --------- d-----w c:\program files\PokerStars
2009-03-16 23:28 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-16 23:26 --------- d-----w c:\program files\SpywareBlaster
2009-03-10 15:44 --------- d-----w c:\program files\CarbonPoker
2009-03-03 19:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-03 19:16 --------- d-----w c:\program files\e-texaspoker client
2009-03-03 19:08 --------- d-----w c:\documents and settings\hp\Application Data\Microgaming
2009-03-03 18:46 --------- d-----w c:\documents and settings\hp\Application Data\GlarySoft
2009-03-02 05:54 --------- d-----w c:\documents and settings\hp\Application Data\IObit
2009-03-02 05:52 --------- d-----w c:\program files\IObit
2009-03-01 21:20 --------- d-----w c:\program files\Bodog Poker
2009-03-01 20:26 --------- d-----w c:\program files\Yahoo!
2009-03-01 20:14 --------- d-----w c:\program files\Celestia
2009-03-01 20:08 --------- d-----w c:\program files\Common Files\Adobe
2009-03-01 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-01 18:41 --------- d-----r c:\program files\Skype
2009-02-28 14:13 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-27 05:31 --------- d-----w c:\program files\Java
2009-02-27 04:59 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-02-27 04:57 --------- d-----w c:\program files\Glary Utilities
2009-02-27 04:57 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-02-27 04:54 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-27 04:49 155,384 ----a-w c:\windows\system32\guard32.dll
2009-02-27 04:49 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-27 04:46 --------- d-----w c:\program files\CCleaner
2009-02-27 04:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-14 18:08 1,553,784 ----a-w c:\windows\WRSetup.dll
2009-02-13 23:09 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-13 23:09 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-02-13 23:09 176,752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 03:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-10-18 18:27 30 ----a-w c:\documents and settings\hp\jagex_runescape_preferences.dat
2008-09-23 14:10 47,360 ----a-w c:\documents and settings\hp\Application Data\pcouffin.sys
2008-09-17 17:40 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 13:00 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-02-19 202064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"ATIModeChange"="c:\windows\system32\Ati2mdxx.exe" [2001-09-04 28672]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-26 1851128]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"AGRSMMSG"="c:\windows\AGRSMMSG.exe" [2005-04-19 88209]
"SPC1300"="c:\windows\vspc1300.exe" [2007-05-31 675840]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-26 1851128]
"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-02-14 6308728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TrayMin1300.lnk - c:\program files\Philips\Philips SPC1300NC Webcam\TrayMin1300.exe [2008-12-20 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 02:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-03-25 23:00 335872 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 15:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-04-21 13:28 286720 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-08-25 04:05 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\BeyondVR\\ESI\\StarLight\\StarLight.exe"=
"c:\\BeyondVR\\ESI\\Cubes\\Cubes.exe"=
"c:\\BeyondVR\\ESI\\Kaleidoscope\\Kaleidoscope.exe"=
"c:\\BeyondVR\\ESI\\StarLight\\CIStutor.exe"=
"c:\\BeyondVR\\ESI\\Cubes\\CIStutor.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CarbonPoker\\client.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2004-08-25 5632]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-09-11 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-09-11 24336]
R2 BOCore;BOCore;c:\program files\COMODO\CBOClean\BOCore.exe [2009-03-19 73464]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-02-26 1180976]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2007-08-15 598856]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 phaudlwr;Philips Audio Filter;c:\windows\system32\drivers\phaudlwr.sys [2008-12-20 88320]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 SPC1300;USB2.0 PC Camera (SPC1300);c:\windows\system32\drivers\spc1300.sys [2008-12-20 3033728]
.
Contents of the 'Scheduled Tasks' folder

2009-03-18 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-02-23 18:38]

2009-03-18 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-03-19 02:14]

2009-03-24 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-02-12 18:10]

2009-03-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 19:15]

2009-03-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-03-02 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uSearchMigratedDefaultURL =
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
mSearchMigratedDefaultURL =
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 20:01:41
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1377587462-1623373947-4152686580-1007\" 9*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ViewMode"=dword:00000001
"StartMarker"=""
"chidney1@aol.com"="17214,1721,2542,933,13902,5957,4350,1402,1925,219|331,1,17214,1851,4711,118
32,1300,439|0,3,0,0,0,0,0,0|0,2,0,0,0,0,0,0,0|"
"QuickPlayOptions"="0,0,1"
"TableBrightness"=hex:8f,c2,75,3f
"TableColour"="122,124,126"
"LastScreenName"=""
"LastSatAtTable"=""
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\guard32.dll
.
Completion time: 2009-03-23 20:03:53
ComboFix-quarantined-files.txt 2009-03-24 01:03:49
ComboFix2.txt 2008-09-08 19:05:18

Pre-Run: 63,031,783,424 bytes free
Post-Run: 63,013,588,992 bytes free

248 --- E O F --- 2009-03-22 22:19:37







Kaspersky


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2009-03-31 01:11:00
PROTECTIONS: 2
MALWARE: 1
SUSPECTS: 7
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Webroot AntiVirus with AntiSpyware 6.1.0.100 No Yes
Avira AntiVir PersonalEdition 8.0.1.30 Yes No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00278769 Application/PRScheduler HackTools No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20081007-090248-835-PowerReg Scheduler.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
No C:\BeyondVR\ESI\Cubes\CIStutor.exe
No C:\BeyondVR\ESI\Cubes\Cubes.exe
No C:\BeyondVR\ESI\Kaleidoscope\CIStutor.exe
No C:\BeyondVR\ESI\Kaleidoscope\Kaleidoscope.exe
No C:\BeyondVR\ESI\StarLight\CIStutor.exe
No C:\BeyondVR\ESI\StarLight\StarLight.exe
No C:\Documents and Settings\hp\Desktop\ComboFix.exe
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================






BitDefender Online Scanner



Scan report generated at: Tue, Mar 31, 2009 - 09:41:43





Scan path: C:\;D:\;







Statistics

Time
00:59:59

Files
269706

Folders
6581

Boot Sectors
0

Archives
9771

Packed Files
23172




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1




Engines Info

Virus Definitions
2816138

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\SWSetup\hpImgEnh\DELINK.EXE
Infected with: Gen:Trojan.Heur.VB.1024DBEBEB

C:\SWSetup\hpImgEnh\DELINK.EXE
Disinfection failed

C:\SWSetup\hpImgEnh\DELINK.EXE
Deleted





F-Secure



Scanning Report
Tuesday, March 31, 2009 09:54:25 - 10:54:22
Computer name: YOUR-4105E587B6
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 1 malware found
TrackingCookie.Atwola (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29783
System: 3597
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\HP\LOCAL SETTINGS\TEMP\HSPERFDATA_HP\484
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030410\0102\0102\VALUES

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-03-31
F-Secure AVP: 7.0.171, 2009-03-31
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics






I also have GMER report, but I wont post that unless you request. Thanks for your time.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,490 posts

Posted 02 April 2009 - 11:47 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 04 April 2009 - 08:21 AM

Hi,
I'm nasdaq and will be helping you.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Do you know what these are|?
I cannot find anything on them.

No C:\BeyondVR\ESI\Cubes\CIStutor.exe
No C:\BeyondVR\ESI\Cubes\Cubes.exe
No C:\BeyondVR\ESI\Kaleidoscope\CIStutor.exe
No C:\BeyondVR\ESI\Kaleidoscope\Kaleidoscope.exe
No C:\BeyondVR\ESI\StarLight\CIStutor.exe
No C:\BeyondVR\ESI\StarLight\StarLight.exe


===

Disable SpySweeper:

You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O20 - AppInit_DLLs:


Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally.
===

Delete These files in bold.
c:\windows\system32\REN99.tmp
c:\windows\system32\REN98.tmp
c:\windows\system32\REN97.tmp
c:\windows\system32\SET84.tmp
c:\windows\system32\SET83.tmp

Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit
===

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-sec...home/ols3.shtml

  • Click the Online Virus Scanner link. (Bottom of the page)
  • When prompted, choose to install the software.
  • After the software has installed, click Accept.
  • Click Custom Scan and check the option for Scan inside archives, then click Start.
  • The necessary databases will then be downloaded, and the scan will then start automatically. Please be patient as this scan will take a while to complete.
  • If any infections are found then once the scan has finished the "cleaning" screen will be displayed. Choose Automatic cleaning (recommended).
  • After cleaning has finished, then the Finish screen will be displayed. Choose Show Report.
  • In order to post the report, press CTRL+A on your keyboard to highlight all the text. Then copy and paste that information into this thread, along with a new HijackThis log.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 04 April 2009 - 05:44 PM

Thank you, nasdaq.

Did as you instructed. Disabled SpySweeper, fixed 4 items on HJT, restarted comp, deleted 5 items from system32, already had CCleaner...so ran that. Then I re-enabled SpySweeper before connecting to the internet to go to f-secure. When I connected, once again I had a flurry of attempts (that were blocked) to go to sites like "cleancodec" and "checkjupitersatellites" and "childhe" (omg!!! is that child-porno??!!) dotcom or dotbiz. I quickly disabled my internet. It was SpySweeper that was blocking them. Is there some way that I can use comodo firewall to figure out where it is coming from?

Well, I restarted in safe mode, since those connections do not appear to be attempted there. I ran f-secure (with archives) and have this:

Scanning Report
Saturday, April 04, 2009 14:35:00 - 15:38:53
Computer name: YOUR-4105E587B6
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 48143
System: 3632
Not scanned: 37
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
x????AGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000000.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000001.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000002.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000003.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000004.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000005.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000006.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000007.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000008.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000009.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/00000a.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/00000b.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/00000c.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/00000d.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/00000e.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/00000f.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000010.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000011.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000012.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000013.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip\Program Files/Enigma Software Group/SpyHunter/Rollback/000014.ecd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Re?

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-04-03
F-Secure AVP: 7.0.171, 2009-04-04
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Scan inside archives
Use Advanced heuristics


My new HJT is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:05 PM, on 4/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\COMODO\CBOClean\BOC427.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [ATIModeChange] "C:\WINDOWS\system32\Ati2mdxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] "C:\WINDOWS\system32\hphmon05.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [SPC1300] "C:\WINDOWS\vspc1300.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-427] "C:\PROGRA~1\Comodo\CBOClean\BOC427.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\RunOnce: [Index Washer] "C:\Program Files\Webroot\Washer\WashIdx.exe" "hp"
O4 - Global Startup: TrayMin1300.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\hp\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130273142312
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8966 bytes


So whatever it is, it is still there. Also, I just enjoy learning new things.....what is REN99/REN98/REN97/SET84SET83.tmp? The REN's had 0kb, but SET's had 8kb. And what is AppInit_DLLs? Thanks.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#5 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 04 April 2009 - 05:48 PM

I'm sorry....forgot to add that the BeyondVR/ESI are components to a NeuroFeedback program on my comp. Those are safe, have had for years.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 05 April 2009 - 06:59 AM

So whatever it is, it is still there. Also, I just enjoy learning new things.....what is REN99/REN98/REN97/SET84SET83.tmp? The REN's had 0kb, but SET's had 8kb. And what is AppInit_DLLs? Thanks.


Look at the time stamp of the .tmp files. You will see what program created them.
As for AppInt_dll it was and empty key in your WinLogon registry setting.
===

Go start > run type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed)

Then hit Enter, type Exit, hit Enter
*/*

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
===

While you are disconnected from the internet please run HijackThis log I realy need to see a log while you are in normal mode.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 05 April 2009 - 10:43 AM

Thank you, nasdaq.

Well, I have deleted those temp files, so cant see who created them. But I remember that REN was created March 2009 (about the time of my problems) and SET was created in 2001.

OK, did all that you asked. Disconnected internet, restarted in normal mode, ran HJT. Got an error message:

An unexpected error has occurred at procedure: modMain_CheckOther1Item0
Error #70 - Permission Denied

The "0" after "Item" was elongated vertically, by the way.

Still did get this following report, however:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:58 AM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\vspc1300.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Philips\Philips SPC1300NC Webcam\TrayMin1300.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [ATIModeChange] "C:\WINDOWS\system32\Ati2mdxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] "C:\WINDOWS\system32\hphmon05.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [SPC1300] "C:\WINDOWS\vspc1300.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-427] "C:\PROGRA~1\Comodo\CBOClean\BOC427.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: TrayMin1300.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\hp\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130273142312
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9882 bytes


I did re-enable SpywareBlaster's protection, but I dont use the others you listed. I did not attempt to allow internet access in normal mode, until you direct so. Are we at that point?

Also, FYI...this is my usual protective programs:

Comodo Firewall (free version)
Avira AntiVir (free version)
Comodo BOClean
Webroot AV (disabled) with AntiSpyware
SpywareBlaster
Advanced SystemCare 3 (free version)
Glary Utilities
Window Washer
CCleaner
MBAM (passive scanner)
HJT
GMER

Things downloaded for this purpose:

Spybot S&D
SAS
CombFix
Rootkit Buster
The various online scanners that y'all use

Any concerns about what I have, or other advice would be appreciated. Thanks tons.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#8 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 05 April 2009 - 11:11 AM

Here is a curiosity.......my other comp is exact same model as the one we are working on. Having no problems with it. HJT has none of the items we fix in my problem comp. However, the good comp also has REN tmp from March 22, 2009 (REN84.tmp, REN85.tmp, REN86.tmp). They have zero bytes, and it does not say who created them. The good comp does not have the SET tmp's. The good comp has all clean scans, but as we can see with my problem comp....that offers me little comfort. Should I post anything from it for you to review when we are done with the first one? Like you need more to do, I know....sorry.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 05 April 2009 - 12:59 PM

The time stamp of these files are listed in the combofix log, post no. 1.

2009-03-16 18:39 . 2009-03-16 18:39 0 --a------ c:\windows\system32\REN99.tmp
2009-03-16 18:39 . 2009-03-16 18:39 0 --a------ c:\windows\system32\REN98.tmp
2009-03-16 18:39 . 2009-03-16 18:39 0 --a------ c:\windows\system32\REN97.tmp

2009-03-07 16:42 . 2001-08-17 23:36 8,192 --a------ c:\windows\system32\SET84.tmp
2009-03-07 16:42 . 2001-08-17 23:36 8,192 --a------ c:\windows\system32\SET83.tmp

Your logs are clean.

If you have run the fix I gave you in my previous post see what you get if you reconnect.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 05 April 2009 - 02:22 PM

No, I am still not clean. Again, got multiple warnings by Webroot......one to a site called 1987324dotcom. Bummer...and frustrating.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 06 April 2009 - 08:05 AM

Clean your Java Cache Folder
http://support.f-sec...javacache.shtml

Restart and if still having a problem

Disable your Java and JavaScript

Use the example shown under Internet Explorer 6,

http://kb.iu.edu/data/ahqx.html

You may have to click the Apply button and restart the computer.

With these disable are you still being prompter to connect to bad sites?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 06 April 2009 - 12:41 PM

Here is the update.

My Java cache is already empty, so went on to next step.

Could not disable Java and Script like example under IE6 because my Custom Level doesnt have the following:

* Java: Scroll to the "Java" section (under "Java VM", under "Java permissions"). To disable Java, click Disable Java. To re-enable Java, click a different setting, such as High Safety or Medium Safety.

* java script: Scroll to the "Active scripting" section of the list (under "Scripting") Click Disable or Enable.

So, I did it like the example under IE 7 or 8, which I was able to follow. But also interestingly, I had to do it under Safe Mode, because when I clicked the Manage Add-on under Normal Mode, it searched forever to populate the list of add-ons, and I had to finally close that out.

So, the add-ons that I had to be disabled were:

JAVA Plug-in 1.6.0_07 ActiveX jp2iexp.dll
JAVA Plug-in 1.6.0_12 ActiveX jp2iexp.dll
JAVA Plug-in 1.6.0_12 ActiveX jp2iexp.dll
JAVA ™ Platform SE binary ActiveX jp2iexp.dll (not disabled, by the way)
JAVA ™ Plug-in 2SSV Helper BHO jp2ssv.dll
JQSIEStart Detector Impl Class BHO jqs_plugin.dll (not disabled, by the way)

I then disabled Java scripting, restarted comp in normal mode, enable the internet.....and had NO attempts to connect to bad sites. :D

So, i guess this means that whatever it is, it uses Java to accomplish its evil deeds, but now we need to figure out where it lives and how to kill it.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 06 April 2009 - 01:36 PM

Let try two things.

First search for all files with the .js extension.

In the Filename box type *.js
Look in the computer.
If you can limit the search for files in the last 3 months.

Post any that look suspicious or since the beginning of your trouble.

Second search all files (*.* in the file search box.)

Search for these strings in the files.

dotcom and then dotbiz

Post the filenames if any are found.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 06 April 2009 - 04:03 PM

*.js search came up with:

overlay.js
C:\ProgramFiles\Java\jreb\lib\deploy\jqs\ff\chrome\content
Modified 3-16-09
779 bytes

ffjcext.js
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}/chrome/content/ffjcext
Modified 1-17-09

*.* search with dotcom and then dotbiz (using ".", of course) came up with a long list for the dotcom, which I could not figure out how to copy and paste. I did not see any blatant problems, but then I am not too skilled at this. Most seemed to be related to the recent scanning tools I have been using, others were for windows updates or other well known applications. I did see a immudebug.log which listed IE websites that could not be immunized, but there was no indication what program created it. It is (perhaps very importantly) dated 3-17-09. Shortly after that date is when my problems started. There is also something called Windows\pchealth\helpctr\DataColl, but googling it seems to indicate that it is an ok thing. When I did the search with dotbiz, I only got four entries....something for combofix, back-ups for Spybot S&D, and the immudebug.log.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#15 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 06 April 2009 - 04:35 PM

By the way, my Avir cannot scan Windows\system32\wrlzma.dll

When googled, sometimes in is ok and part of Webroot, other sites warn that it could be a trojan. Any thoughts on that? Thanks.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#16 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 06 April 2009 - 09:45 PM

Ok, more fun for you to digest. Even tho I have SpySweeper with AV, I dont use the AV because of the conflict that can occur between different AV systems. Well, I disabled my AntiVir (in normal mode, without internet) and ran SpySweeper's antivirus sweep (because it is the one thing I have not done yet). Well, it found Trojan-Phisher-SaBanks.Gen in my registry (and deleted it). However, when it reached the "files" section, it slowed to a near halt after scanning about 6500 items. I restarted in safe mode, and ran it again. Now, it was able to zip thru all my files without slowing down at all. It also found a hacktool ... App/PsExec-Gen (and deleted it). There were also several "corrupted" files identified, but not listed as threats, so not deleted. I then restarted in normal mode (still without internet), and almost instantly, AntiVir identified a trojan ..... TR/ATraps.Gen (deleted). I tried to run SpySweeper again, but it came to a crawl when it reached the 6500 item point again (taskmanager shows that it becomes unresponsive with brief bursts of activity). So now, I am running a thorough (EVERY files, etc., etc.) scan with AntiVir.

I have the logs of those scans, but dont want to connect to the internet (even in safe mode) to send them to you until my thorough AntiVir scan is complete, and until you tell me that it is safe, given those recent identified threats. I did an "all files" search for anything similar to PsExec.EFEXE, but found nothing.

In addition to "where do we go from here?", my next question is "what do you think is making my SpySweeper come to a halt in normal mode?" Thanks.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#17 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 06 April 2009 - 09:47 PM

This might be silly for me to say, but please see my posts at the bottom of page one as well, thanks.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 07 April 2009 - 07:54 AM

This file in bold if part of Chrome.
/chrome/content/ffjcext/ffjcext.js

At that location this file my be bad.
Windows\system32\wrlzma.dll

submit the file in bold to the following link for a scan, then post the results in your next message for me to see.
http://virusscan.jotti.org/
===

immudebug.log is created by Spybot and Destroy.

===

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 07 April 2009 - 11:58 AM

wrlzma.dll is benign.

Service load: 0% 100%

File: wrLZMA.dll
Status: OK
MD5: 99a2a10f4b671bd4817c25783750250a
Packers detected: -

Scanner results
Scan taken on 07 Apr 2009 13:43:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
*************


Did DrWeb CureIt, but could not perform the following:


*************
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
*************

because there was no icon next to the files, so I did not see that way to mike things "moveable." However, I did click on "select all" at the bottom of the screen, then clicked "move" at the bottom of the screen. Unfortunately, it looks like only a few where actually moved to quarantaine. I dont know if ANY where actually cured. Please tell me if I need to do it manually. The file that DrWeb creates is in Xcel, but I have to open with notepad, since my Xcel is not active, but here it is:

***********
data015;C:\Program Files\Online Services\AOL90US;Archive contains infected objects;;

comp01.000;C:\Program Files\Online Services\AOL90US;Archive contains infected objects;Moved.;

stream001;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;

\Windows\access\EarthLink Setup.msi;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;

EarthLink Setup.exe;C:\Program Files\Online Services\EarthLink;Archive contains infected objects;Moved.;

stream001;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP993\A0172533.exe/Windows\access;Archive contains infected objects;;

\Windows\access\EarthLink Setup.msi;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP993\A0172533.exe/Windows\access;Archive contains infected objects;;

A0172533.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP993;Archive contains infected objects;Moved.;

A0171130.bat;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP989;Probably BATCH.Virus;Moved.;

comp01.000/data015\data386;C:\Program Files\Online Services\AOL90US\comp01.000/data015;Probably DLOADER.Trojan;;

EarthLink Setup.msi/stream001\uninstll.exe;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access\EarthLink Setup.msi/stream001;Probably STPAGE.Trojan;;

EarthLink Setup.msi/stream001\uninstll.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP993\A0172533.exe/Windows\access\EarthLink Setup.m;Probably STPAGE.Trojan;;

Process.exe;C:\MGtools;Tool.Prockill;Moved.;
*************

Also, here are the logs from my SpySweeper scans from last night:

*************
4/6/2009 6:43:36 PM: Removal process completed. Elapsed time 00:00:03
4/6/2009 6:43:33 PM: Quarantining All Traces: trojan-phisher-sabanks.gen
4/6/2009 6:43:32 PM: Removal process initiated
4/6/2009 6:43:11 PM: Sweep Status: 1 Item Found
4/6/2009 6:43:10 PM: Traces Found: 2
4/6/2009 6:43:10 PM: File Sweep Complete, Elapsed Time: 00:09:45
4/6/2009 6:43:09 PM: Sweep Cancelled
4/6/2009 6:33:25 PM: Starting File Sweep
4/6/2009 6:33:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4/6/2009 6:33:24 PM: Starting Cookie Sweep
4/6/2009 6:33:23 PM: Registry Sweep Complete, Elapsed Time:00:00:19
4/6/2009 6:33:20 PM: HKU\S-1-5-21-1377587462-1623373947-4152686580-1007\software\microsoft\ms setup (acme)\ (ID = 1212056)
4/6/2009 6:33:19 PM: HKU\WRSS_Profile_S-1-5-21-1377587462-1623373947-4152686580-1008\software\microsoft\ms setup (acme)\ (ID = 1212056)
4/6/2009 6:33:19 PM: Found Trojan Horse: trojan-phisher-sabanks.gen
4/6/2009 6:33:03 PM: Starting Registry Sweep
4/6/2009 6:33:03 PM: Memory Sweep Complete, Elapsed Time: 00:02:45
4/6/2009 6:30:17 PM: Starting Memory Sweep
4/6/2009 6:30:12 PM: Start Full Sweep
4/6/2009 6:30:12 PM: Sweep initiated using definitions version 1421
4/6/2009 6:28:22 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
4/6/2009 6:28:22 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
4/6/2009 6:28:12 PM: Informational: Loaded AntiVirus Engine: 2.84.1; SDK Version: 4.39E; Virus Definitions: 04/06/2009 22:58:14 (GMT)
4/6/2009 6:26:52 PM: License Check Status (0): Success
4/6/2009 6:26:42 PM: Webroot Software 6.1.0.107 started
4/6/2009 6:26:42 PM: | Start of Session, Monday, April 06, 2009



4/6/2009 8:11:19 PM: Traces Found: 2
4/6/2009 8:11:19 PM: Full Sweep has completed. Elapsed time 00:57:56
4/6/2009 8:11:18 PM: File Sweep Complete, Elapsed Time: 00:55:41
4/6/2009 8:07:50 PM: Warning: Corrupt Archive: C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\YH561411.CAB
4/6/2009 8:06:24 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\1100.cab
4/6/2009 8:06:23 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\1000.cab
4/6/2009 8:06:06 PM: Warning: Corrupt Archive: C:\Program Files\Quicken\Deluxe\delux001.cab
4/6/2009 8:06:00 PM: Warning: Corrupt Archive: C:\Program Files\Quicken\Premier\premi001.cab
4/6/2009 8:05:40 PM: Warning: Corrupt Archive: C:\Program Files\Quicken\HAB\hab__001.cab
4/6/2009 8:02:29 PM: Warning: Corrupt Archive: C:\Program Files\Microsoft Money\System\mode1.cab
4/6/2009 7:58:23 PM: Warning: Corrupt Archive: C:\SWSetup\Quicken\custom\program\Premier\premi001.cab
4/6/2009 7:58:16 PM: Warning: Corrupt Archive: C:\SWSetup\Quicken\custom\program\HaB\hab__001.cab
4/6/2009 7:58:11 PM: Warning: Corrupt Archive: C:\SWSetup\Quicken\custom\program\Deluxe\delux001.cab
4/6/2009 7:52:42 PM: Warning: Corrupt Archive: C:\MGlogs.zip
4/6/2009 7:52:29 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\2150.cab
4/6/2009 7:52:27 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\2170.cab
4/6/2009 7:52:26 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\2200.cab
4/6/2009 7:52:24 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\2300.cab
4/6/2009 7:52:22 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\2400.cab
4/6/2009 7:52:21 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\2500.cab
4/6/2009 7:52:19 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\4100.cab
4/6/2009 7:52:18 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\4105.cab
4/6/2009 7:52:16 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\4200.cab
4/6/2009 7:52:14 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\5500.cab
4/6/2009 7:52:13 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\6100.cab
4/6/2009 7:51:55 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\1310.cab
4/6/2009 7:51:53 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\1300.cab
4/6/2009 7:51:52 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\2100.cab
4/6/2009 7:51:48 PM: Warning: Corrupt Archive: C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\Product\1200.cab
4/6/2009 7:51:46 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [C:\Documents and Settings\All Users\Application Data\Spybot - Search Destroy\Recovery\SpyHunter1.zip]
4/6/2009 7:51:46 PM: Warning: Corrupt Archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search Destroy\Recovery\SpyHunter1.zip
4/6/2009 7:51:46 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [C:\Documents and Settings\All Users\Application Data\Spybot - Search Destroy\Recovery\SpyHunter.zip]
4/6/2009 7:51:46 PM: Warning: Corrupt Archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search Destroy\Recovery\SpyHunter.zip
4/6/2009 7:51:22 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [C:\Documents and Settings\hp\Application Data\GlarySoft\Glary Utilities\Backups\39888.7717881944]
4/6/2009 7:51:22 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [C:\Documents and Settings\hp\Application Data\GlarySoft\Glary Utilities\Backups\39888.7717881944]
4/6/2009 7:50:43 PM: C:\Documents and Settings\hp\Desktop\ComboFix.exe (ID = 0)
4/6/2009 7:50:42 PM: C:\Documents and Settings\hp\Desktop\ComboFix.exe (ID = 0)
4/6/2009 7:50:41 PM: Found App/PsExec-Gen: App/PsExec-Gen
4/6/2009 7:31:01 PM: Warning: AntiVirus engine for IFO returned [WL] on [C:\WINDOWS\NIRCMD.exe]
4/6/2009 7:19:45 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [C:\Documents and Settings\hp\Application Data\GlarySoft\Glary Utilities\Backups\39891.0634277315]
4/6/2009 7:16:15 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [C:\Documents and Settings\hp\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-19-2009 - 13-20-31.SBU]
4/6/2009 7:15:37 PM: Starting File Sweep
4/6/2009 7:15:36 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4/6/2009 7:15:36 PM: Starting Cookie Sweep
4/6/2009 7:15:35 PM: Registry Sweep Complete, Elapsed Time:00:00:25
4/6/2009 7:15:09 PM: Starting Registry Sweep
4/6/2009 7:15:09 PM: Memory Sweep Complete, Elapsed Time: 00:01:42
4/6/2009 7:13:27 PM: Starting Memory Sweep
4/6/2009 7:13:22 PM: Start Full Sweep
4/6/2009 7:13:22 PM: Sweep initiated using definitions version 1421
4/6/2009 7:13:10 PM: Informational: Loaded AntiVirus Engine: 2.84.1; SDK Version: 4.39E; Virus Definitions: 04/06/2009 22:58:14 (GMT)
4/6/2009 7:12:55 PM: License Check Status (0): Success
4/6/2009 7:12:36 PM: Webroot Software 6.1.0.107 started
4/6/2009 7:12:36 PM: | Start of Session, Monday, April 06, 2009
**************



If and when you want me to open internet in normal mode, please tell me if you want me to re-enable all the Java functions.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 07 April 2009 - 12:17 PM

Rename wrlzma.dll to [/b]wrlzma.dll.old]

Windows\system32\wrlzma.dll

Restart in Safe mode.
If all is well and you do not get any errors from an application restart in normal mode and see if the problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#21 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 07 April 2009 - 12:37 PM

nasdaq, you have two closed brackets ( "]" ) in your string, but only one open bracket ( "[" ). Is that accurate? Also, my computer tells me that a file name cannot contain the character "/". Please clarify for me, thanks.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#22 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 07 April 2009 - 02:56 PM

OK, not good news. Since renaming the file just means that the parent program cant access it, I chose to go with [[b]wrlzma.dll.old]. Restarted in safe mode, everything still worked. Could still sweep with SpySweeper. Restarted in normal mode, everything still looked good. Swept with SpySweeper, still bogs down at about 6500 item mark, for some unknown reason, but at least that is not new. Java plug-ins are still disabled, but the Java Platform SE ActiveX and JQSIE Start Detector BHO are both still active. Enabled internet, and the furry of attempts to connect to bad sites started. CRAP :techsupport: :grrr:

I found this when I was googling:

*********
The Solution: Webroot tech support reponded two days later with a solution:

“The WRConsumerService.exe, and WRUtil.exe. do not need to be added to your firewall to get our software updates. Also the wrzlma.dll is a false positive by McAfee’s software and is actually an older .dll so I would suggest updating to our latest version and this should clear up the issue you are experiencing. I will include instructions on how to uninstall the software and reinstall below. I will also be sending you download instructions from ‘Webroot Sales’.”
*********

So it is an older .dll, maybe one I can delete any way? But also, it is NOT in the program files for Webroot, but rather in the Windows system fold......which does not seem right. In addition, since my problem is still there, does that mean DrWeb didnt cure what it found? Or is it just that DrWeb did not find my problem? And why did the flurry happen now when it did not happen shortly after disabling the Java plug-ins from a couple days ago? I know there is no clear answer at this point, I am just pondering e-loud.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#23 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 07 April 2009 - 03:55 PM

Hi,

i'm checking with the other helpers in the forum to find out what I cannot see.

Stay with me.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#24 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 07 April 2009 - 04:14 PM

ok, thanks you.....i am very patient by nature, lol.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#25 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 08 April 2009 - 07:06 AM

Two members are suggesting this.

looks like a bug with an older version of SpySweeper... I recommend telling the user to update their version of SpySweeper, or if they do not use it anymore, to uninstall it.


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#26 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 08 April 2009 - 07:33 PM

Hello, nasdaq.

Was out of the house all day today. I am going to try several permutations with spysweeper, like deleting wrlzma.dll, re-enabling internet, then a next step if bad web attempts are made. I am running the most current version, already checked that. But I dont rule-out the possibility of a bug in the system. By the way, I ran a second DrWeb, and it is clean except for my System Volume Restore (one item...prockill).....and I still have those initial items in DrWeb's quarantaine. My spysweeper subscription expires this month, and i dont use it for antivirus protection any way....just sweeping.

My current defenses are as listed in an earlier post:

Comodo Firewall (free version)
Avira AntiVir (free version)
Comodo BOClean
Webroot AV (disabled) with AntiSpyware
SpywareBlaster
Advanced SystemCare 3 (free version)
Glary Utilities
Window Washer
CCleaner
MBAM (passive scanner)
HJT
GMER

Things downloaded for this purpose,and should I keep any of these?:

Spybot S&D
SAS
CombFix
Rootkit Buster
The various online scanners that y'all use



If I do continue to have problems, and go ahead and uninstall spysweeper, do you have a replacement you could recommend that will offer the same type of protection? Since my spysweeper has been alerting me to the attempts to connect to bad sights, I want to make sure I am still covered in that way. Will SpywareBlaster offer that since it immunizes you against such connections?

I will keep you updated with my "experiment." I await you answer(s) to my above questions. Thank you.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#27 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 09 April 2009 - 07:40 AM

Things downloaded for this purpose,and should I keep any of these?:

Spybot S&D
SAS
CombFix
Rootkit Buster
The various online scanners that y'all use



Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Delete the fixme.reg file.

Delete these.
SAS
Rootkit Buster.

Any remnant item created by Online scanner can be deleted.
====

Take a look at this page created by miekiemoes, one of the Global Moderators here, on slow systems, and some things you can try to do to try to improve it:
http://users.telenet...owcomputer.html
Pay attention to section 2.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#28 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 09 April 2009 - 04:16 PM

Well, nasdaq, finally something posative to report, lol. First, I deleted wrlzma.dll, but kept having the same problem. So then I started deleting all files and programs that I no longer use, and deleted all quarataine files. I also scrubbed all free space on my computer. Re-enabled internet, and had no problems. Still having no problems today. My SpySweeper still crawls to a halt in normal mode, but does fine in safe mode, and finds nothing. So there is a problem, and I will go forward with its removal. I am figuring that is why you did not tell me to delete SpyBot S&D with the others. I also figure that I should use TeaTimer, correct?

I am also wanting to install Firefox as a browser. Are Comodo firewall, S&D with TeaTimer, Avira AntiVir, and BOClean all compatable together, and do they all work with Firefox? I know SpywareBlaster does.

Finally, is there a tool I can use to make sure that I did not cause problems running a registery cleaner? I now know that was not such a wise idea. Thanks alot.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#29 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 10 April 2009 - 07:55 AM

I am also wanting to install Firefox as a browser. Are Comodo firewall, S&D with TeaTimer, Avira AntiVir, and BOClean all compatable together, and do they all work with Firefox? I know SpywareBlaster does.


These tool should work with FireFox, however I'm not sure if Avira Antivir and Boclean together are not slowing your system down. You can try to disable one of them and see if your performance is better. If not the keep both.


Finally, is there a tool I can use to make sure that I did not cause problems running a registery cleaner? I now know that was not such a wise idea. Thanks alot.

I'm afraid not. What has been deleted is gone. You will find out soon if some important files or registry keys are missing when a program start running in an unusual manner.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#30 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,364 posts

Posted 24 April 2009 - 08:13 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button