Jump to content


Photo

pc extremely slow on startup


  • This topic is locked This topic is locked
26 replies to this topic

#1 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 07 June 2009 - 10:11 PM

Hello all,

For the past few weeks or so my computer has been extremely slow starting up. It can take 6 or 7 minutes or longer just to initialize, and at times another minute or two to start up firefox. Other programs, such as excel or even windows explorer can also be slow to open up, when I have firefox running. Also, it does sound like my hard drive is running a lot of the time. Occasionally, my mouse cursor will switch to the hourglass as if something is being done although I'm not doing anything in particular at the time.

A couple of days ago, I ran a malwarebytes and spybot scan and neither found anything. But I still wonder if I have some sort of malware problem. I am using Spybot, Avast antivirus and Comodo firewall.

I did have a similar problem about a year ago and came here and got some things cleared up, although I can't remember what the problems were. The problem was fixed, in any event. I suppose it also could be just my computer getting old. It's pretty ancient in computer years.

I ran hijack this and will attach the log. I did notice a couple of items on there referring to things I thought I got rid of, Winamp and google updater, specifically. I tried winamp but couldn't get it set up, and quit. And I tried to update google earth for google ocean, but it wouldn't run. I thought I got rid of both programs, though I kept google earth.

Anyway, here's the log.

Thank you in advance for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:30 PM, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\de_m_rec\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\de_m_rec\spyware_stuff\hijackthis\HiJackThis_july08\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\de_m_rec\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-sec.../beta/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1183915602421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183915592905
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c99a2b3bbcf8e2) (gupdate1c99a2b3bbcf8e2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6119 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 10 June 2009 - 10:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 16 June 2009 - 07:53 AM

Sorry for this delay. We had a server problem but are now back online.

If you still need help please submit a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 16 June 2009 - 11:44 AM

Hello,

Thanks for helping. I figured it all got caught up in the database problems.

I believe I still need help, nothing has really changed. But there were a couple of other incidents in the meantime that caught my attention.

One time I came in when the computer had been sitting idle for a few minutes, but connected to the internet, and there was a pop-up message that virtual memory was low and being increased. This was even though there was nothing being done at the time.

A different time I was on the internet but not installing anything, and hadn't recently done so, when my firewall popped up a message that it had been in installation mode and asked if I wanted to stay in installation mode or switch back.

I don't know if there's any significance to either of these, but I don't recall them happening before.

Anyway, I ran hijack this again and will post the log.

Thanks again for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:11 AM, on 06/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\de_m_rec\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\de_m_rec\spyware_stuff\hijackthis\Hijackthis_june09\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\de_m_rec\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-sec.../beta/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.mi...b?1183915602421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...b?1183915592905
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c99a2b3bbcf8e2) (gupdate1c99a2b3bbcf8e2) - Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6120 bytes

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 16 June 2009 - 02:36 PM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Please don't forget this step to disable teatimer.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O20 - AppInit_DLLs:

Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally.
+++

Download random's system information tool (RSIT) by random/random from >>here<< and save it to your desktop.
  • Double click on RSIT.exe to launch program.
  • Click Continue at the disclaimer screen.
  • Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
  • Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized.

These reports are long, please post the contents of both logs (in separate post) in your next reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 17 June 2009 - 11:20 AM

Hello,

Thank you for your help.

I ran hijack this and fixed the one entry, after turning off tea timer.

I also ran the RSIT tool. I'll attach the log.txt file in this reply and do another reply with the info.txt file.

Here is the first file.

Logfile of random's system information tool 1.06 (written by random/random)
Run by --- at 2009-06-17 10:58:22
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 9 GB (49%) free of 19 GB
Total RAM: 255 MB (40% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:50 AM, on 06/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Dwain\Desktop\RSIT.exe
C:\de_m_rec\spyware_stuff\hijackthis\Hijackthis_june09\Dwain.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-sec.../beta/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.mi...b?1183915602421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...b?1183915592905
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c99a2b3bbcf8e2) (gupdate1c99a2b3bbcf8e2) - Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5972 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\de_m_rec\SPYWAR~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-28 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"COMODO Firewall Pro"=C:\Program Files\COMODO\Firewall\cfp.exe [2009-02-26 1851128]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe []
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-01-01 185872]
"COMODO Internet Security"=C:\Program Files\COMODO\Firewall\cfp.exe [2009-02-26 1851128]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0baef21f-2972-11de-8a7b-0008a1240be1}]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6501e82-e59c-11dd-8970-0008a1240be1}]
shell\AutoRun\command - F:\LaunchU3.exe -a


======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2009-06-17 10:58:22 ----D---- C:\rsit
2009-06-09 14:24:47 ----D---- C:\baby_pictures

======List of files/folders modified in the last 1 months======

2009-06-17 10:57:56 ----D---- C:\WINDOWS\Prefetch
2009-06-17 10:50:30 ----AD---- C:\WINDOWS\Temp
2009-06-17 10:36:08 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-17 10:35:52 ----SD---- C:\WINDOWS\Tasks
2009-06-16 22:48:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-16 21:46:55 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-16 17:50:38 ----D---- C:\WINDOWS
2009-06-16 17:49:36 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-06-14 18:17:04 ----AD---- C:\WINDOWS\SYSTEM32
2009-06-14 17:52:31 ----D---- C:\Documents and Settings\Dwain\Application Data\Canon
2009-06-13 10:09:23 ----D---- C:\WINDOWS\system32\DRIVERS
2009-06-13 10:01:58 ----SHD---- C:\WINDOWS\Installer
2009-06-13 10:00:28 ----D---- C:\Program Files\Google
2009-06-12 21:51:00 ----D---- C:\Program Files\Mozilla Firefox
2009-06-07 16:32:19 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-03-07 9336]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-03-07 9464]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2002-04-10 236032]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-02-26 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-02-20 24336]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2002-04-10 117898]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2002-04-10 206336]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 ati2mtaa;ati2mtaa; C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2002-04-08 295168]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver; C:\WINDOWS\System32\DRIVERS\DM9PCI5.SYS [2001-08-17 29696]
R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2002-04-10 29638]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-18 5888]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-05-28 500568]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB Root Hub (usbport); C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S3 ati2mpaa;ati2mpaa; C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2002-04-10 24554]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP; C:\WINDOWS\System32\DRIVERS\usbsermptxp.sys [2007-06-03 25600]
S3 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\Firewall\cmdagent.exe [2009-02-26 700152]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S2 gupdate1c99a2b3bbcf8e2;Google Update Service (gupdate1c99a2b3bbcf8e2); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-28 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-27 183280]

-----------------EOF-----------------

#7 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 17 June 2009 - 11:25 AM

Here is the second file.

Thanks again.

info.txt logfile of random's system information tool 1.06 2009-06-17 10:59:55

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby

4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
ArcSoft PhotoStudio 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{D95ED581-3C67-4BB4-AA50-DDCC6A97226D}\SETUP.EXE" -l0x9
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001

-inf_class:DISPLAY -clean
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
BeClean-->C:\de_m_rec\spyware_stuff\be_clean\BeClean\unins000.exe
CadStd-->C:\de_m_rec\cad\CadStd\uninst.exe
Canon MP Drivers 6.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{3FF3DD04-F386-46B0-97FC-B86238B65487}\Setup.exe" -l0x9 -Uninstall
Canon MP Navigator 1.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{8653730A-683D-4C42-BB18-6471291D5DEA}\setup.exe" /SUUninstall
Canon ScanGear Starter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\setup.exe" -l0x9 anything
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
CCleaner (remove only)-->"C:\de_m_rec\spyware_stuff\CCleaner\uninst.exe"
Classic PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
COMODO Firewall Pro-->C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dell | Support-->MsiExec.exe /X{91E8A85F-2960-40ED-BA84-7F4567BB00C0}
Dell Modem-On-Hold-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Dell Picture Studio - Dell Image Expert-->MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center-->MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\de_m_rec\spyware_stuff\hijackthis\HiJackThis_july08\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IMZ-->regsvr32 /s /u C:\WINDOWS\System32\bckoacllpgl.dll
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware-->"C:\de_m_rec\spyware_stuff\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Encarta Encyclopedia Standard 2002-->MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Office 97, Professional Edition-->C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Microsoft Picture It! Photo 2002-->MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6.0-->MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation

Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
OmniPage SE 2.0-->MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
Paint Shop Pro 7-->MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PRO200WL-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation

Information\{280C7673-2DF8-4E74-B031-D8F108BE2A6D}\SETUP.EXE" -uninst
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Spybot - Search & Destroy-->"C:\de_m_rec\spyware_stuff\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\de_m_rec\spyware_stuff\SpywareBlaster\unins000.exe"
The Weather Channel Desktop-->C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O20 - AppInit_DLLs: [2009-06-16]

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090614-0]
FW: COMODO Firewall

======System event log======

Computer Name: DCQYRW11
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect.

Record Number: 78233
Source Name: Service Control Manager
Time Written: 20090520154924.000000-360
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 7000
Message: The avast! Web Scanner service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Record Number: 78190
Source Name: Service Control Manager
Time Written: 20090519161532.000000-360
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect.

Record Number: 78189
Source Name: Service Control Manager
Time Written: 20090519161532.000000-360
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 7000
Message: The avast! Web Scanner service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Record Number: 78188
Source Name: Service Control Manager
Time Written: 20090519161501.000000-360
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect.

Record Number: 78187
Source Name: Service Control Manager
Time Written: 20090519161501.000000-360
Event Type: error
User:

=====Application event log=====

Computer Name: DCQYRW11
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 7219
Source Name: Application Hang
Time Written: 20081216175514.000000-420
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 1000
Message: Faulting application realplay.exe, version 11.0.0.446, faulting module rjbviz.dll, version 1.0.3.45, fault address 0x0000b3b2.

Record Number: 7099
Source Name: Application Error
Time Written: 20081125220858.000000-420
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.0.3188, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 6931
Source Name: Application Hang
Time Written: 20081031171128.000000-360
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 1002
Message: Hanging application uinstaller.exe, version 6.8.726.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 6928
Source Name: Application Hang
Time Written: 20081031170722.000000-360
Event Type: error
User:

Computer Name: DCQYRW11
Event Code: 1002
Message: Hanging application uinstaller.exe, version 6.8.726.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 6927
Source Name: Application Hang
Time Written: 20081031170653.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0204
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 18 June 2009 - 09:47 AM

Uninstall Avast and reinstall it.
When you do the reinstall make sure that your Comodo Firewall is disable as well as any running programs.
Restart the computer.

How is it now.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 18 June 2009 - 09:59 PM

Hello nasdaq,

I uninstalled and reinstalled Avast. I did disable it, I think, at least the only way I could see to disable it. I still received prompts from the firewall when I was reinstalling it, however. I checked afterwards, after rebooting since I forgot to check first. It was still set to disabled. I then reset it to safe mode. Then Avast wanted to update the virus database, which I did. Afterwards everything locked up, including the computer clock (I don't know if this is significant). I had to turn off the computer manually and restart. Then it seemed to be OK.

It took only a minute or two to reinitialize after all this, I tried a couple of times, so maybe it's somewhat faster. It was definitely faster starting up when Avast was uninstalled.

So where does this leave us?

Thanks again for your help.

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 19 June 2009 - 06:20 AM

For some unknown reason you possibly have a conflict with AVAST and Combofix.

AntiVir
AVG


Download on of these free program. Delete Avast and install the newly downloaded program.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 19 June 2009 - 12:14 PM

Thanks nasdaq,

I can do that, but I have a question first. I sort of remember running a combofix scan the last time I was having a similar issue, but I didn't think it was still on my computer. Is it still out there lingering around somewhere, and if so should I just get rid of it?

This brings up a couple of other things about lingering programs (or remnants thereof?).

I did use AVG in the past but, as I recall, changed it because it was conflicting with zonealarm, which I'm also no longer using - this goes back a while. I noticed some references to AVG on some of the logs, also some other programs that I thought I'd gotten rid of. Winamp and google updater come to mind, but I think there were others. Would these sorts of things cause problems? Should I try to search these out and get rid of them if that is the case? What would be the best way to do that?

Anyway, no problem with changing the antivirus program, I just wanted to check this out first. Let me know what you think. It seems like there were a couple features about AVG that I liked, actually.

Thanks again for your help.

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 19 June 2009 - 12:40 PM

You executed the combofix program without guidance from a trained helper. It not recommended.
To remove it use this command. Since a System Restore point will be created I suggest you wait until all is well with the computer.

Before you delete the program run it again and let me see the log.
You may be asked to download the latest version.
===

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Please don't forget this step to disable teatimer.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll <- resource hog.
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


Click on Fix Checked when finished and exit HijackThis.
Restart the computer normally.
===

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


Hijackthis will stop and disable the service. It won't delete the service, so don't worry. If you want to re-enable it again, go to start > run and type: services.msc.
There you'll see a list of all services present. Search for "Google Updater Service", doubleclick it and set the startuptype to automatic if you want to enable it again.
===
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 19 June 2009 - 01:37 PM

Hello nasdaq

Now I'm really confused, but I really appreciate your help.

I can't find combofix on my computer anywhere (although I did find the old log from the scan, done about a year and a half ago). Are we sure it's still actually there? I'm sure I didn't run it on my own, I wouldn't even have known about it other than from working through some issues on here. Do I need to find it, or download it, and run a scan?

Then, if that's not confusing enough, I did disable tea timer when we started out and just checked spybot again which still shows that it's checked off. Is it back, somehow, and running somewhere else? How else could I disable it?

Thanks again for your help.

#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 19 June 2009 - 02:24 PM

Then, if that's not confusing enough, I did disable tea timer when we started out and just checked spybot again which still shows that it's checked off. Is it back, somehow, and running somewhere else? How else could I disable it?


Remove it from the Add/Remove programs list.
You can reinstall it later when all is well.
===

I can't find combofix on my computer anywhere (although I did find the old log from the scan, done about a year and a half ago). Are we sure it's still actually there? I'm sure I didn't run it on my own, I wouldn't even have known about it other than from working through some issues on here. Do I need to find it, or download it, and run a scan?


All I can suggest is that you delete any folder/files associated with it.

Then if you want:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 19 June 2009 - 06:28 PM

Hi nasdaq,

Thanks for your help. I just want to be sure I'm getting this right before I do anything too serious.

I probably wasn't too clear on the tea timer issue. Spybot shows that tea timer is not resident, which is how I left it after first attempting to disable it, and there hasn't been a little spybot icon down at the bottom of my screen since I first disabled it. So, I'm not sure what's going on there.

I assume, then, that you mean I should actually uninstall spybot itself. I can do that but I haven't yet. I just want to be sure.

As far as combofix goes... I did a windows explorer search for files or folders containing "combo". All it came up with were the comboscan and supplementary comboscan log files (which are .txt files) and some other files that appear to associated with windows or just icons. I didn't think I should delete those. There weren't any executable files or anything. Is there something else I should look for with a name other than "combo"-something? Can the comboscan files be the source of the Avast conflict? I don't want to delete anything else until I'm sure what's going on.

#16 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 24 June 2009 - 10:18 PM

Hi nasdaq,

Just wanted to make sure my post wasn't overlooked. No big deal or anything. I wasn't doing anything with my computer over the weekend, anyway, or much the last couple of days either.

Thanks for your help.

#17 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 25 June 2009 - 07:26 AM

Sorry about this delay. I remember seeing your post. I tought I had replied.

Uninstall Spybot via the Add/Remove programs list. Then reinstall the latest version.

All .txt files from combofix can be deleted. If the Icons are from the Combofix program you can delete them also.

Can the comboscan files be the source of the Avast conflict?

No, unless some of the deleted files that were bad are still in the .txt files (in name only) nothing to worry about.
Avast my see them and think that you are infected.

If Avast is finding bad items let me know what.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#18 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 26 June 2009 - 10:35 PM

Hello nasdaq,

I uninstalled spybot, but didn't reinstall because it seems like we're waiting until this is done because of a possible teatimer issue, or something. I can reinstall at any time.

I deleted the old combofix scan files. The icons all looked like they were related to my firewall or maybe windows icons, so I left them alone.

I downloaded and ran combofix again and will attach the log, along with a new Hijack this log. When I was looking for the combofix log I also found a combofix quarantined files log that it made. Is that something you'd want to see?

I haven't had any notifications about any viruses or other malware from Avast for some time now. Should I still be thinking of changing to a different antivirus program, incidentally? That came up in our discussion a while back.

Thanks for your help. I'll attach the logs.

ComboFix 09-06-25.01 - Dwain 06/26/2009 13:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.96 [GMT -6:00]
Running from: c:\documents and settings\Dwain\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090626-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\inf\MSView.inf
c:\windows\Readme.txt
c:\windows\regedit.com
c:\windows\system32\CometTB.dlltmp
c:\windows\system32\Process.exe
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-24 23:47 . 2009-06-24 23:47 -------- d-----w- c:\documents and settings\Dwain\Application Data\U3
2009-06-18 23:48 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-18 23:48 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-18 23:48 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-18 23:47 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-18 23:47 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-18 23:47 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-18 23:47 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-18 23:47 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-18 23:47 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-17 16:58 . 2009-06-17 17:05 -------- d-----w- C:\rsit
2009-06-09 20:24 . 2009-06-14 23:41 -------- d-----w- C:\baby_pictures

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 00:00 . 2003-11-08 06:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-25 22:31 . 2009-03-01 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-24 20:36 . 2009-01-27 22:00 -------- d-----w- c:\documents and settings\Carter\Application Data\U3
2009-06-21 18:10 . 2009-03-04 05:22 664 ----a-w- c:\documents and settings\Dwain\Local Settings\Application Data\d3d9caps.dat
2009-06-14 23:53 . 2005-07-04 19:05 -------- d-----w- c:\documents and settings\Dwain\Application Data\Canon
2009-06-13 16:08 . 2008-07-14 05:13 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-13 16:00 . 2008-02-20 23:40 -------- d-----w- c:\program files\Google
2009-05-26 19:20 . 2008-08-16 18:59 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 19:19 . 2008-07-14 05:13 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-15 18:35 . 2006-08-19 18:59 -------- d-----w- c:\documents and settings\Carter\Application Data\Canon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-26 1851128]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-01 185872]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-26 1851128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-9-18 45056]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [06/18/2009 5:47 PM 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [09/03/2008 3:48 PM 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [09/03/2008 3:48 PM 24336]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [06/18/2009 5:47 PM 20560]
S2 gupdate1c99a2b3bbcf8e2;Google Update Service (gupdate1c99a2b3bbcf8e2);c:\program files\Google\Update\GoogleUpdate.exe [02/28/2009 11:04 PM 133104]
S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [09/18/2002 8:18 PM 281856]
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-01 20:09]

2009-06-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 05:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: govtrip.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 13:31
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\guard32.dll
.
Completion time: 2009-06-26 13:34
ComboFix-quarantined-files.txt 2009-06-26 19:34

Pre-Run: 9,664,217,088 bytes free
Post-Run: 9,697,669,120 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

124 --- E O F --- 2009-03-29 19:00


Now the Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:59 PM, on 06/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\de_m_rec\spyware_stuff\hijackthis\Hijackthis_june09\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-sec.../beta/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1183915602421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183915592905
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c99a2b3bbcf8e2) (gupdate1c99a2b3bbcf8e2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5646 bytes

#19 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 27 June 2009 - 07:46 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Combofix deleted these file because of the .com extension.
c:\windows\regedit.com
c:\windows\system32\taskmgr.com

The normal operating system files have an .exe extension.

Open the Start > run box and type Regedit.exe
Does you Registry editor open?
Close it.


Is your Task Manager working?

Test it.
http://support.microsoft.com/kb/323527
===

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Look at this tutorial if assistance is needed.
http://www.bleepingc...opic131299.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#20 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 27 June 2009 - 11:05 PM

Hi nasdaq,

I checked the registry editor. It opened, then I closed it.

I haven't had any problems with task manager and have used just recently to end programs when locked up. I didn't see anything specifically about testing on the microsoft site, but I opened it up. It opened normally and I used it to end a program, which it also did normally. So it seems to be working.

I downloaded and ran SDFix. I'll post the log. When looking at the log I noticed that one of the files it listed was in a path/folders that I don't particularly want posted up on a public thread, so I edited out the names. It looks like it was definitely one of my files, or at least a temp. manifestation of it. So I don't think it should have been any particular problem. Not that I really know what any of the log really means.

Anyway, here is the log file.

Thanks for your help.


SDFix: Version 1.240
Run by Administrator on Sat 06/27/2009 at 10:37 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 22:46:24
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 14 Jan 2002 19,968 A..H. --- "C:\de_m_rec\letters\~WRL0003.tmp"
Sun 29 Aug 2004 19,968 ...H. --- "C:\de_m_rec\printing_posters\~WRL0005.tmp"
Sun 15 Oct 2006 24,576 ...H. --- "C:\de_m_rec\printing_posters\~WRL0403.tmp"
Sun 15 Oct 2006 24,064 ...H. --- "C:\de_m_rec\printing_posters\~WRL0809.tmp"
Sun 27 Jun 2004 19,968 ...H. --- "C:\de_m_rec\printing_posters\~WRL0907.tmp"
Sun 27 Jun 2004 24,064 ...H. --- "C:\de_m_rec\printing_posters\~WRL0955.tmp"
Sun 15 Oct 2006 25,600 ...H. --- "C:\de_m_rec\printing_posters\~WRL1146.tmp"
Sun 27 Jun 2004 24,576 ...H. --- "C:\de_m_rec\printing_posters\~WRL1241.tmp"
Sun 27 Jun 2004 21,504 ...H. --- "C:\de_m_rec\printing_posters\~WRL1660.tmp"
Sun 27 Jun 2004 19,968 ...H. --- "C:\de_m_rec\printing_posters\~WRL1863.tmp"
Sun 27 Jun 2004 22,528 ...H. --- "C:\de_m_rec\printing_posters\~WRL2379.tmp"
Sun 15 Oct 2006 26,112 ...H. --- "C:\de_m_rec\printing_posters\~WRL3452.tmp"
Mon 29 May 2006 25,600 ...H. --- "C:\de_m_rec\printing_posters\~WRL4011.tmp"
Mon 29 May 2006 27,648 ...H. --- "C:\de_m_rec\printing_posters\~WRL4047.tmp"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 20 Mar 2005 57,344 ...H. --- "C:\de_m_rec\____\_____\~WRL0037.tmp"
Mon 7 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 29 Mar 2008 4,918 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Acc1.tmp"
Sun 3 Jun 2007 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off18.tmp"
Mon 14 Jul 2008 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2.tmp"
Mon 13 Aug 2007 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off3.tmp"

Finished!

#21 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 28 June 2009 - 06:35 AM

Good these .com files were possibly remnant of a previous infection.

Should I still be thinking of changing to a different antivirus program, incidentally? That came up in our discussion a while back.

I do not think so. Makes sure it's updated regularly.

Your logs are clean.

Nice Work your Hijackthis log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955
===

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

===

Hava a look at these Microsoft articles.

Optimize your computer for peak performance
http://www.microsoft...e/optimize.mspx

Put your PC maintenance routine on autopilot
http://www.microsoft...aintenance.mspx

Restore Your Computer's Performance with Windows XP
http://www.microsoft...estoreperf.mspx

Maintenance tasks that improve performance
http://www.microsoft...mproveperf.mspx
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#22 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 28 June 2009 - 09:49 PM

Hi nasdaq,

Thanks.

Are we sort of basically done now? The computer seems to be booting up a bit faster as I've been going through this.

So what did we just do? Was there some particular malware problem or anything?

I will run the ComboFix/u. Then I assume I should go ahead and reinstall spybot. I don't recall taking anything else off.

I've got ComboFix, RSIT and SDFix on my computer now. How is the best way to remove them? Or is there some reason to keep any of them?

Thanks for your help.

#23 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 29 June 2009 - 02:55 PM

Nice Work your Hijackthis log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955
===

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Delete the folders for RSIT and SDFix.

Resintall Spybot when all is well.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#24 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 29 June 2009 - 10:10 PM

Hi nasdaq,

I ran the ComboFix/u program. At the end it said ComboFix was uninstalled, but I saw that there is still a ComboFix folder while I was looking for the other folders. Should I delete the folder as well?

I also deleted the other two folders and the shortcut icons on the desktop.

Is there anything else I should do? I haven't reinstalled Spybot yet, but I will.

Thanks for your help.

#25 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 30 June 2009 - 08:05 AM

I saw that there is still a ComboFix folder while I was looking for the other folders. Should I delete the folder as well?

Yes!
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#26 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 30 June 2009 - 10:01 PM

Thanks nasdaq,

I guess we're done then?

#27 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,318 posts

Posted 21 July 2009 - 06:36 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




Member of UNITE
Support SpywareInfo Forum - click the button