Jump to content


Photo

slow computer


  • This topic is locked This topic is locked
28 replies to this topic

#1 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 21 October 2009 - 04:06 PM

My computer started running pretty slow recently. It takes awhile to load up like Internet Explorer. When it seems to hang up and you try to cancel the program it just sits there forever. I have turned off alot of unnecessary programs but that doesn't help. I have sent a HiJack This print out for you to look at. Help!
Earl C. Werntz

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 27 October 2009 - 02:12 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 15 November 2009 - 11:04 AM

Hi Erl, and Welcome Back.

If you still need help, please post a HijackThis log so we have some basis to start providing help from. You can find information on it in the Forum FAQ.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 20 November 2009 - 02:36 AM

Hi Erl, and Welcome Back.

If you still need help, please post a HijackThis log so we have some basis to start providing help from. You can find information on it in the Forum FAQ.


I cannot get the HiJack This log to attach. It keeps saying, "You are not permitted to upload this kind of file". I will just copy and paste. Will this work?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:06 AM, on 11/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatieControl Object) - http://zone.msn.com/...eb.1.0.0.15.cab
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f.../fslauncher.cab
O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} (CPlayFirstmsiControl Object) - http://zone.msn.com/...msi.1.0.0.9.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} (CPlayFirstWeddingDasControl Object) - http://zone.msn.com/...sh.1.0.0.50.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7174 bytes



Earl C. Werntz

#5 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 20 November 2009 - 05:59 PM

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

I cannot get the HiJack This log to attach. It keeps saying, "You are not permitted to upload this kind of file". I will just copy and paste. Will this work?

That's what you should be doing posting the log rather than attaching it). Many Helpers would not download the attachment for saftey.

I have turned off alot of unnecessary programs but that doesn't help.

Rather than turning off unnecessary programs, if you really don't need a program, why not uninstall it rather than stopping it from running with Autoruns?

I see you are running Windows One Care. I want to make sure you realize that the program has been discontinued. It has been replaced by Microsoft Security Essentials, although updates can continue to be downloaded until one year past the last subscription activation date. You can read a review of Microsoft Security Essentials here:
http://www.pcmag.com...,2353386,00.asp

I would instead recommend a good free antivirus like Avira AntiVir PersonalEdition Classic available at http://www.free-av.com, AVG Anti-Virus Free at http://free.grisoft....2/lng/us/tpl/v5, or Free avast! 4 Home Edition at http://www.avast.com...st_4_home.html.

Along with that, I would recommend a good firewall like Outpost Firewall Free or Online Armor Free. Either one would be a good choice. There is a tutorial on understanding firewalls at http://www.bleepingc...tutorial60.html and a tutorial for Outpost Free at http://www.outpostfi...9658#post179658

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click the Delete button.
    - For IE 7:
  • In the window that opens, click the Delete all button.
  • When prompted, place a check in: "Also delete files and settings stored by add-ons.", click Yes.
- For IE8:
  • In the window that opens place a checkmark in all options.
  • Click the Delete and OK buttons.
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options > Privacy.
  • Click "clear your recent history".
  • Go to the Advanced tab, and click the Clear Now button
  • Click OK to close the Options window
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click OK.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • If the program won't start, go to MBAM's program folder (normally C:\Program Files\Malwarebytes' Anti-Malware), rename mbam.exe to a random file name (keep the .exe extension) and double-click on it to start the program.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

In Internet Explorer, please run the BitDefender online scan at BitDefender.com
You will need to allow an ActiveX control to install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Please post the contents of the log in your next reply.

Download Security Check by screen317 from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
You might want to take a look at this page created by miekiemoes, one of the Global Moderators here, on slow systems, and some things you can try to do to try to improve it:
http://users.telenet...owcomputer.html

Please post a new HijackThis log, the log from MBAM, the log from Security Check (ckeckup.txt), and in a second reply so nothing is cut off by the maximum post length, the log from BitDefender's online scan and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#6 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 November 2009 - 11:22 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:33 PM, on 11/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Windows Live OneCare Health Monitor (OcHealthMon) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe (file missing)

--
End of file - 5968 bytes


Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Windows Live OneCare
Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install
Microsoft Windows Live OneCare Resources v2.5.2900.28
GTOneCare
Microsoft Windows OneCare Live v2.5.2900.28
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 11
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
``````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````



Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/23/2009 10:01:36 AM
mbam-log-2009-11-23 (10-01-36).txt

Scan type: Quick Scan
Objects scanned: 120607
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PiratePoppers.1.0.0.39.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{38d97cce-7243-4b6e-b6a8-dd872ad3eb33} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6868afe5-f258-47dc-bc37-0821f96dc1d2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.39.dll (Trojan.Agent) -> Quarantined and deleted successfully.



Earl C. Werntz

#7 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 24 November 2009 - 06:34 PM

You appear to be running Avira AntiVir, and Windows OneCare Live (which wasn't in your first HijackThis log). It is not recommended to run more than one antivirus program resident, as they conflict with each other, and you actually end up with less protection, not more. You should decide which you want to keep, and completely uninstall the other. Having two antivirus programs installed can also be a reason for having a slow system.

I would keep Avira AntiVir as it's by far the better antivirus; Windows OneCare isn't even offered anymore (it was replaced by Microsoft Security Essentials, although existing subscriptions can continue to update signatures until the end of their one year license). You should uninstall any entry for Microsoft Windows OneCare in Control Panel's Add or Remove Programs, and then enable the Windows Firewall in the Security Center (Start > Programs > Accessories > System Tools > Security Center).

Your Adobe Acrobat is outdated and vulnerable. Go to Control Panel's Add or Remove Programs and uninstall the following program:
Adobe Reader

Then go to http://www.adobe.com and download and install the current version of Adobe Reader. When you install it, be certain to UNcheck any optional toolbar installation (unless you want it).

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java SE Runtime Environment (JRE), JRE 6 Update 17".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, and check the "agree" box and click "Continue".
    - Note: If you are running an x64 (64-bit) version of Windows, you need to install both the Windows (x32) and Windows x64 version.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version (the x64 version is jre-6u17-windows-x64.exe).
    - Note: If you are running Vista, you may need to right-click on the installation file and select Run as Administrator.
After you have done that, please post a new HijackThis log. If you have completed the BitDefender scan, also please post that log.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#8 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 25 November 2009 - 03:14 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:02 PM, on 11/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch -

{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program

Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -

C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414}

- C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O3 - Toolbar: Google Toolbar -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe"

/min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner -

{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime

Plugin Control) -

http://appldnld.appl.../QuickTime/qtac

tivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook

Photo Uploader 5 Control) -

http://upload.facebo...ebookPhotoUploa

der5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo

Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitd...en/scan8/oscan8

.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl

Class) -

http://update.micros.../x86/client/muw

eb_site.cab?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl

Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO

Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL

Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games -

Installer) -

http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave

Flash Object) -

http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7}

(SproutLauncherCtrl Class) -

http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.ad...Plus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -

C:\Program Files\Google\Google

Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira

GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH -

C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company -

C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6682 bytes





Earl C. Werntz

#9 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 25 November 2009 - 08:18 PM

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close
Run Disk Cleanup
  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
    • In the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • in the confirmation window, select Yes (Disk Cleanup will close).
Please post a new HijackThis log.
How is the system running?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#10 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 30 November 2009 - 09:37 AM

The system seems to be running better but my "Link Speed" to the internet is only 18 Mbps. Why would that be? Used to be 54 Mbps. Any thoughts on that?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:15 AM, on 11/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6806 bytes



Earl C. Werntz

#11 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 01 December 2009 - 01:35 PM

The system seems to be running better but my "Link Speed" to the internet is only 18 Mbps. Why would that be? Used to be 54 Mbps. Any thoughts on that?

You can check speed through many sites. Here are some you can use:
http://www.dslreports.com/speedtest
You should use the site closest to you.

If you use a test site close to you, so you still get the slow speed?

Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Please restart your system and post a new HijackThis log.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#12 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 01 December 2009 - 09:30 PM

I have fixed the two files / programs but they just keep coming back.
It doesn't change anything!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:33 PM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6967 bytes



Earl C. Werntz

#13 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 December 2009 - 08:17 AM

I also ran a scan by Avira AntiVir Personal and this is what it stated:
(what is "BOO/Sinowal.E")


Avira AntiVir Personal
Report file date: Wednesday, December 02, 2009 08:24

Scanning for 1410710 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : PREMIO18G

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/24/2009 21:07:28
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 21:08:53
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 21:08:58
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 21:08:58
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 21:08:58
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 21:08:58
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 21:08:58
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 21:08:58
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 21:08:58
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 21:08:58
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 21:08:58
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 21:08:58
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 21:08:58
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 21:08:58
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 21:07:03
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 20:50:56
VBASE015.VDF : 7.10.1.129 2048 Bytes 11/30/2009 20:50:56
VBASE016.VDF : 7.10.1.130 2048 Bytes 11/30/2009 20:50:56
VBASE017.VDF : 7.10.1.131 2048 Bytes 11/30/2009 20:50:57
VBASE018.VDF : 7.10.1.132 2048 Bytes 11/30/2009 20:50:57
VBASE019.VDF : 7.10.1.133 2048 Bytes 11/30/2009 20:50:57
VBASE020.VDF : 7.10.1.134 2048 Bytes 11/30/2009 20:50:57
VBASE021.VDF : 7.10.1.135 2048 Bytes 11/30/2009 20:50:57
VBASE022.VDF : 7.10.1.136 2048 Bytes 11/30/2009 20:50:57
VBASE023.VDF : 7.10.1.137 2048 Bytes 11/30/2009 20:50:57
VBASE024.VDF : 7.10.1.138 2048 Bytes 11/30/2009 20:50:57
VBASE025.VDF : 7.10.1.139 2048 Bytes 11/30/2009 20:50:57
VBASE026.VDF : 7.10.1.140 2048 Bytes 11/30/2009 20:50:57
VBASE027.VDF : 7.10.1.141 2048 Bytes 11/30/2009 20:50:57
VBASE028.VDF : 7.10.1.142 2048 Bytes 11/30/2009 20:50:57
VBASE029.VDF : 7.10.1.143 2048 Bytes 11/30/2009 20:50:57
VBASE030.VDF : 7.10.1.144 2048 Bytes 11/30/2009 20:50:57
VBASE031.VDF : 7.10.1.157 58368 Bytes 12/2/2009 13:23:19
Engineversion : 8.2.1.92
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/23/2009 21:09:11
AESCRIPT.DLL : 8.1.2.45 586108 Bytes 11/23/2009 21:09:10
AESCN.DLL : 8.1.2.5 127346 Bytes 11/23/2009 21:09:10
AESBX.DLL : 8.1.1.1 246132 Bytes 11/23/2009 21:09:09
AERDL.DLL : 8.1.3.4 479605 Bytes 11/30/2009 20:51:04
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/23/2009 21:09:07
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 15:59:39
AEHEUR.DLL : 8.1.0.184 2146681 Bytes 11/30/2009 20:51:02
AEHELP.DLL : 8.1.7.5 237942 Bytes 11/25/2009 21:07:06
AEGEN.DLL : 8.1.1.78 364917 Bytes 11/25/2009 21:07:06
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/23/2009 21:09:01
AECORE.DLL : 8.1.8.5 180598 Bytes 12/1/2009 20:50:58
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 11/24/2009 21:07:28
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/24/2009 21:07:28

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir

desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, December 02, 2009 08:24

Starting search for hidden objects.
'64899' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'RtlWake.exe' - '1' Module(s) have been scanned
Scan process 'RtWLan.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'imapi.exe' - '1' Module(s) have been scanned
Scan process 'dcfssvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
26 processes with 26 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[DETECTION] Contains code of the BOO/Sinowal.E boot sector virus
[WARNING] The boot sector cannot be repaired! You can find more

information in the help

Start scanning boot sectors:
Boot sector 'C:\'
[DETECTION] Contains code of the BOO/Sinowal.E boot sector virus
[NOTE] The boot sector was not written!

Starting to scan executable files (registry).

The registry was scanned ( '51' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Wednesday, December 02, 2009 08:55
Used time: 31:12 Minute(s)

The scan has been done completely.

6444 Scanned directories
194463 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
194461 Files not concerned
1418 Archives were scanned
3 Warnings
3 Notes
64899 Objects were scanned with rootkit scan
0 Hidden objects were found




Earl C. Werntz

#14 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 02 December 2009 - 09:05 AM

Those aren't files, but empty registry entries. As something is protecting them, we won't worry about them.

I also ran a scan by Avira AntiVir Personal and this is what it stated:
(what is "BOO/Sinowal.E")

It's a Master Boot Record (MBR) infection.

Please download MBR.exe from http://www2.gmer.net/mbr/mbr.exe
Save the file to your desktop and double-click on it to run it.
A text file will appear on your desktop.
Please post the contents of that file and let me know how you have your hard drive partitioned (is it all one drive, or do you have it partitioned into more than one drive).

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#15 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 December 2009 - 12:11 PM

I have just one drive. I ran the MBR.EXE-f scan and let it fix the problem. My machine seems to be running much better now. Am I good to go yet?


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A85300
malicious code @ sector 0x04A85303 !
PE file found in sector at 0x04A85319 !



Earl C. Werntz

#16 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 02 December 2009 - 04:10 PM

You got a step ahead, already running the fix command (mbr.exe -f). :)

You said that it fixed the problem.
Please delete the existing MBR.log file on the desktop, run mbr.exe again and post the new text that it produces.

Please also scan with Avira again. Do you still get this warning, or did that stop?

Starting master boot sector scan:
Master boot sector HD0
[DETECTION] Contains code of the BOO/Sinowal.E boot sector virus
[WARNING] The boot sector cannot be repaired! You can find more

information in the help

Start scanning boot sectors:
Boot sector 'C:\'
[DETECTION] Contains code of the BOO/Sinowal.E boot sector virus
[NOTE] The boot sector was not written!


Please post a new HijackThis log (run after scanning with Avira), the text from running mbr.exe, the new log from Avira, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#17 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 03 December 2009 - 12:15 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A85300
malicious code @ sector 0x04A85303 !
PE file found in sector at 0x04A85319 !





Avira AntiVir Personal
Report file date: Wednesday, December 02, 2009 23:10

Scanning for 1412419 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : PREMIO18G

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/24/2009 21:07:28
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 21:08:53
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 21:08:58
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 21:08:58
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 21:08:58
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 21:08:58
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 21:08:58
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 21:08:58
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 21:08:58
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 21:08:58
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 21:08:58
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 21:08:58
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 21:08:58
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 21:08:58
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 21:07:03
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 20:50:56
VBASE015.VDF : 7.10.1.129 2048 Bytes 11/30/2009 20:50:56
VBASE016.VDF : 7.10.1.130 2048 Bytes 11/30/2009 20:50:56
VBASE017.VDF : 7.10.1.131 2048 Bytes 11/30/2009 20:50:57
VBASE018.VDF : 7.10.1.132 2048 Bytes 11/30/2009 20:50:57
VBASE019.VDF : 7.10.1.133 2048 Bytes 11/30/2009 20:50:57
VBASE020.VDF : 7.10.1.134 2048 Bytes 11/30/2009 20:50:57
VBASE021.VDF : 7.10.1.135 2048 Bytes 11/30/2009 20:50:57
VBASE022.VDF : 7.10.1.136 2048 Bytes 11/30/2009 20:50:57
VBASE023.VDF : 7.10.1.137 2048 Bytes 11/30/2009 20:50:57
VBASE024.VDF : 7.10.1.138 2048 Bytes 11/30/2009 20:50:57
VBASE025.VDF : 7.10.1.139 2048 Bytes 11/30/2009 20:50:57
VBASE026.VDF : 7.10.1.140 2048 Bytes 11/30/2009 20:50:57
VBASE027.VDF : 7.10.1.141 2048 Bytes 11/30/2009 20:50:57
VBASE028.VDF : 7.10.1.142 2048 Bytes 11/30/2009 20:50:57
VBASE029.VDF : 7.10.1.143 2048 Bytes 11/30/2009 20:50:57
VBASE030.VDF : 7.10.1.144 2048 Bytes 11/30/2009 20:50:57
VBASE031.VDF : 7.10.1.160 78336 Bytes 12/2/2009 20:51:15
Engineversion : 8.2.1.92
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/23/2009 21:09:11
AESCRIPT.DLL : 8.1.2.45 586108 Bytes 11/23/2009 21:09:10
AESCN.DLL : 8.1.2.5 127346 Bytes 11/23/2009 21:09:10
AESBX.DLL : 8.1.1.1 246132 Bytes 11/23/2009 21:09:09
AERDL.DLL : 8.1.3.4 479605 Bytes 11/30/2009 20:51:04
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/23/2009 21:09:07
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 15:59:39
AEHEUR.DLL : 8.1.0.184 2146681 Bytes 11/30/2009 20:51:02
AEHELP.DLL : 8.1.7.5 237942 Bytes 11/25/2009 21:07:06
AEGEN.DLL : 8.1.1.78 364917 Bytes 11/25/2009 21:07:06
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/23/2009 21:09:01
AECORE.DLL : 8.1.8.5 180598 Bytes 12/1/2009 20:50:58
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 11/24/2009 21:07:28
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/24/2009 21:07:28

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, December 02, 2009 23:10

Starting search for hidden objects.
'64086' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'RtWLan.exe' - '1' Module(s) have been scanned
Scan process 'RtlWake.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'prevx.exe' - '0' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'imapi.exe' - '1' Module(s) have been scanned
Scan process 'dcfssvc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'prevx.exe' - '0' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '50' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Wednesday, December 02, 2009 23:37
Used time: 26:43 Minute(s)

The scan has been done completely.

6431 Scanned directories
193638 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
193636 Files not concerned
1419 Archives were scanned
2 Warnings
2 Notes
64086 Objects were scanned with rootkit scan
0 Hidden objects were found



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:18 AM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip....es/pengapop/en/"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7289 bytes



Earl C. Werntz

#18 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 07 December 2009 - 02:01 PM

Is my system OK now?
Earl C. Werntz

#19 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 07 December 2009 - 05:37 PM

Sorry for the delay, I must have missed your reply.

Although Avira is no longer detecting the MBR rootkit, GMER's MBR rootkit detector is still detecting the malicious code in the MBR.

There are two different ways to deal with it. If you have a Windows install disk, do the following.
  • Insert the original Windows XP CD (Windows XP with Service Pack 2 is preferred, but not required) and reboot the computer. You may need to configure your computer BIOS to boot from the CD-ROM drive.
  • When the Windows XP Setup has started, press "R" to "repair the Windows XP installation using Recovery Console".
  • Select the Windows installation to repair (generally this is C:\Windows) by typing its number and then pressing ENTER.
  • Type the Administrator password and press ENTER.
  • Type the following command:
    fixmbr
    Then hit Enter, and verify that you want to proceed.
  • When finished, remove the Windows XP CD, type "EXIT" and press ENTER to restart your computer.
Then please delete the existing MBR.log file on the desktop, run mbr.exe again and post the new text that it produces.

If you don't have an XP installation disc, please let me know and we'll do it a different way.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#20 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 08 December 2009 - 07:28 AM

I do not have the XP disc. I am presently unemployed and don't have any free money to buy any software either. With that said, I appreciate anything you can do for my machine.
Earl C. Werntz

#21 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 08 December 2009 - 05:35 PM

Download ComboFix© by sUBs from one of these locations:

http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix

  • Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please post a new HijackThis log and the log from ComboFix (combofix.txt) and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#22 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 09 December 2009 - 08:42 AM

Combo-Fix says that I still have Windows Livw OneCare on my computer, but, I removed it a while ago. How can I get it off my computer for good?

ComboFix 09-12-06.A3 - Earl 12/09/2009 9:26.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.641 [GMT -5:00]
Running from: c:\program files\Earl\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer
2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\Earl\Local Settings\Application Data\PDF Writer
2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\Earl\Application Data\PDF Writer
2009-12-04 19:28 . 2009-11-28 19:37 6144 ----a-w- c:\windows\system32\BioPdf.PdfWriter.Lib.dll
2009-12-04 19:28 . 2009-12-04 19:28 -------- d-----w- c:\program files\Common Files\Bullzip
2009-12-04 19:28 . 2009-09-10 20:33 131072 ----a-w- c:\windows\system32\bzpdfc.dll
2009-12-04 19:28 . 2008-10-31 03:15 227840 ----a-w- c:\windows\system32\bzFlRdr.dll
2009-12-04 19:28 . 2008-07-10 04:19 103424 ----a-w- c:\windows\system32\bzDCT.dll
2009-12-04 19:28 . 2009-04-22 23:53 194560 ----a-w- c:\windows\system32\bzpdf.dll
2009-12-04 19:28 . 2009-12-04 19:28 -------- d-----w- c:\program files\Bullzip
2009-12-02 14:44 . 2009-12-02 14:46 -------- d-----w- c:\documents and settings\Earl\Application Data\GetRightToGo
2009-12-02 13:28 . 2009-12-02 13:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-25 19:43 . 2009-11-25 19:43 -------- d-----w- c:\program files\Java
2009-11-25 19:06 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-25 19:06 . 2009-11-25 19:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-25 19:04 . 2009-11-25 19:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-25 19:04 . 2009-11-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-24 19:58 . 2009-11-24 20:00 -------- dc-h--w- c:\windows\ie8
2009-11-24 19:03 . 2007-08-13 23:52 66048 ----a-w- c:\windows\ieResetIcons.exe
2009-11-24 17:46 . 2009-11-25 08:17 -------- d-----w- c:\program files\Citrix
2009-11-23 21:04 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-23 21:04 . 2009-12-07 20:51 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 21:04 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-23 21:04 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-23 21:04 . 2009-11-23 21:04 -------- d-----w- c:\program files\Avira
2009-11-23 21:04 . 2009-11-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-23 20:48 . 2009-11-23 20:48 -------- d-----w- C:\WINSSLog
2009-11-23 19:55 . 2009-11-23 19:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 17:06 . 2009-11-23 17:06 -------- d-----w- C:\$AVG
2009-11-23 17:06 . 2009-11-23 17:06 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-11-23 17:06 . 2009-11-23 17:08 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2009-11-23 17:05 . 2009-11-23 17:05 -------- d-----w- c:\program files\AVG
2009-11-23 17:05 . 2009-11-23 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 02:12 . 2008-12-29 01:43 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 14:25 . 2009-01-03 23:40 -------- d-----w- c:\program files\Earl
2009-12-08 14:24 . 2009-11-07 17:56 -------- d-----w- c:\program files\MyDefrag v4.2.5
2009-12-03 17:06 . 2009-10-16 22:46 -------- d-----w- c:\documents and settings\Earl\Application Data\Digital Support
2009-12-03 17:05 . 2009-01-10 19:24 -------- d-----w- c:\program files\Google
2009-12-01 18:05 . 2008-12-04 01:02 -------- d-----w- c:\program files\Rose
2009-11-25 21:25 . 2008-12-13 18:22 2180 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 19:43 . 2008-12-26 02:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 19:08 . 2008-12-03 23:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-24 19:05 . 2009-10-15 01:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-24 19:05 . 2009-10-15 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-24 17:46 . 2009-10-11 20:22 108920 ----a-w- c:\documents and settings\HelpAssistant.PREMIO18G\g2ax_customer_downloadhelper_win32_x86.exe
2009-11-24 17:46 . 2009-01-27 20:50 108920 ----a-w- c:\documents and settings\Earl\g2ax_customer_downloadhelper_win32_x86.exe
2009-10-31 13:31 . 2009-11-07 17:56 926720 ----a-w- c:\windows\system32\MyDefragScreenSaver.exe
2009-10-29 07:45 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 14:58 . 2009-11-07 17:56 93696 ----a-w- c:\windows\system32\MyDefragScreenSaver.scr
2009-10-27 21:46 . 2008-11-22 18:35 37880 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-24 14:50 . 2008-11-22 19:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-24 14:35 . 2009-10-24 14:35 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-24 11:28 . 2009-01-05 20:53 1044 ----a-w- c:\documents and settings\Earl\Application Data\wklnhst.dat
2009-10-23 23:59 . 2009-10-23 23:57 7532 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-23 23:59 . 2009-10-23 23:57 550944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-23 02:09 . 2009-10-23 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-23 00:45 . 2009-10-23 00:45 -------- d-----w- c:\program files\NETGEAR
2009-10-23 00:45 . 2008-12-04 00:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 03:42 . 2008-12-29 15:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-22 00:17 . 2009-10-22 00:17 0 ----a-w- c:\windows\IntIgn0xF28456.dat
2009-10-21 19:50 . 2008-12-29 15:39 -------- d-----w- c:\program files\MSN Games
2009-10-21 18:31 . 2009-10-21 18:30 -------- d-----w- c:\documents and settings\Earl\Application Data\MissTeriTale3
2009-10-21 18:01 . 2008-12-29 15:39 -------- d-----w- c:\program files\Oberon Media
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 20:10 . 2009-01-03 23:44 -------- d-----w- c:\program files\Games
2009-10-15 17:23 . 2008-12-11 20:49 1 ----a-w- c:\documents and settings\Earl\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-15 04:10 . 2008-11-22 19:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-15 02:34 . 2008-12-28 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 02:34 . 2008-12-28 16:14 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-15 01:10 . 2009-10-15 01:10 -------- d-----w- c:\program files\Trend Micro
2009-10-13 14:51 . 2009-10-13 12:52 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-10-13 13:50 . 2009-01-06 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 07:01 . 2009-07-15 19:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-11 20:11 . 2009-04-16 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PoBros
2009-10-11 20:10 . 2009-09-22 23:36 -------- d-----w- c:\program files\NETGEAR(2)
2009-10-11 20:10 . 2008-12-04 00:02 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-11 20:10 . 2009-09-22 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-10-11 20:09 . 2009-09-26 01:20 -------- d-----w- c:\program files\PC Check-up
2009-10-11 20:07 . 2009-10-03 17:44 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-11 20:07 . 2009-10-03 17:44 -------- d-----w- c:\program files\AVS4YOU
2009-10-11 20:07 . 2009-10-05 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache(2)
2009-10-11 20:07 . 2009-10-11 20:07 -------- d-----w- c:\program files\Kuros
2009-10-11 20:07 . 2009-10-11 20:07 -------- d-----w- c:\program files\Legacy Interactive
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-12-28 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-12-28 16:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-12-07_13.59.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-09 14:21 . 2009-12-09 14:21 16384 c:\windows\Temp\Perflib_Perfdata_72c.dat
+ 2007-08-13 23:54 . 2009-10-29 07:45 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 25600 c:\windows\system32\jsproxy.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
- 2009-06-11 12:28 . 2009-08-29 08:08 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-11 12:28 . 2009-10-29 07:45 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 75776 c:\windows\system32\dllcache\strmfilt.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 79872 c:\windows\system32\dllcache\raschap.dll
+ 2008-04-14 12:00 . 2009-10-12 13:38 79872 c:\windows\system32\dllcache\raschap.dll
- 2008-11-22 18:50 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-11-22 18:50 . 2009-10-29 07:45 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
+ 2009-10-24 14:36 . 2009-12-09 14:18 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-12-09 14:18 . 2009-08-29 08:08 12800 c:\windows\ie8updates\KB976325-IE8\xpshims.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 55296 c:\windows\ie8updates\KB976325-IE8\msfeedsbs.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 25600 c:\windows\ie8updates\KB976325-IE8\jsproxy.dll
+ 2009-10-24 14:36 . 2009-12-09 14:18 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-04-14 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\winhttp.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 206848 c:\windows\system32\occache.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
+ 2007-08-13 23:54 . 2009-10-29 07:45 594432 c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 184320 c:\windows\system32\iepeers.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 387584 c:\windows\system32\iedkcs32.dll
- 2008-04-14 12:00 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 12:00 . 2009-10-28 14:40 173056 c:\windows\system32\ie4uinit.exe
- 2008-04-14 12:00 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2008-04-14 12:00 . 2009-10-12 13:38 149504 c:\windows\system32\dllcache\rastls.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-04-14 12:00 . 2009-10-13 10:30 270336 c:\windows\system32\dllcache\oakley.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 270336 c:\windows\system32\dllcache\oakley.dll
- 2008-11-22 18:50 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-22 18:50 . 2009-10-29 07:45 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-06-11 12:28 . 2009-08-29 08:08 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-11 12:28 . 2009-10-29 07:45 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 184320 c:\windows\system32\dllcache\iepeers.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 12:00 . 2009-10-28 14:40 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-04-14 12:00 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\system32\dllcache\http.sys
+ 2009-11-05 19:21 . 2009-11-05 19:21 537600 c:\windows\Installer\a446cc6.msp
- 2009-10-24 14:36 . 2009-11-25 13:15 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2009-10-24 14:36 . 2009-11-25 13:15 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-10-24 14:36 . 2009-12-09 14:18 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-12-09 14:18 . 2009-08-29 08:08 916480 c:\windows\ie8updates\KB976325-IE8\wininet.dll
+ 2009-12-09 14:18 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB976325-IE8\spuninst\updspapi.dll
+ 2009-12-09 14:18 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB976325-IE8\spuninst\spuninst.exe
+ 2009-12-09 14:18 . 2009-08-29 08:08 206848 c:\windows\ie8updates\KB976325-IE8\occache.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 594432 c:\windows\ie8updates\KB976325-IE8\msfeeds.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 246272 c:\windows\ie8updates\KB976325-IE8\ieproxy.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 184320 c:\windows\ie8updates\KB976325-IE8\iepeers.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 387584 c:\windows\ie8updates\KB976325-IE8\iedkcs32.dll
+ 2009-12-09 14:18 . 2009-08-28 10:35 173056 c:\windows\ie8updates\KB976325-IE8\ie4uinit.exe
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2008-04-14 12:00 . 2009-10-29 07:45 1208832 c:\windows\system32\urlmon.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 5940736 c:\windows\system32\mshtml.dll
+ 2007-08-13 23:34 . 2009-10-29 07:45 1985536 c:\windows\system32\iertutil.dll
- 2007-08-13 23:34 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
- 2008-04-14 12:00 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-14 12:00 . 2009-10-29 07:45 5940736 c:\windows\system32\dllcache\mshtml.dll
- 2008-11-22 18:50 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2008-11-22 18:50 . 2009-10-29 07:45 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 1208832 c:\windows\ie8updates\KB976325-IE8\urlmon.dll
+ 2009-12-09 14:18 . 2009-10-22 09:19 5939712 c:\windows\ie8updates\KB976325-IE8\mshtml.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 1985536 c:\windows\ie8updates\KB976325-IE8\iertutil.dll
+ 2008-11-22 18:48 . 2009-12-01 20:06 25966024 c:\windows\system32\MRT.exe
+ 2007-08-13 23:54 . 2009-10-29 07:45 11069952 c:\windows\system32\ieframe.dll
+ 2008-11-22 18:50 . 2009-10-29 07:45 11069952 c:\windows\system32\dllcache\ieframe.dll
+ 2009-12-09 14:18 . 2009-08-29 08:08 11069440 c:\windows\ie8updates\KB976325-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-07-17 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AppPortal (Desktop-Integrated).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AppPortal (Desktop-Integrated).lnk
backup=c:\windows\pss\AppPortal (Desktop-Integrated).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 18:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 4:04 PM 108289]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/3/2008 7:03 PM 66048]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [10/22/2009 8:29 PM 167808]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [11/22/2008 1:23 PM 23153]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/22/2009 7:45 PM 13532]
S4 OcHealthMon;Windows Live OneCare Health Monitor; [x]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Earl\Application Data\Mozilla\Firefox\Profiles\oipm32ca.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 09:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3632)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-09 09:35
ComboFix-quarantined-files.txt 2009-12-09 14:35
ComboFix2.txt 2009-12-07 14:01

Pre-Run: 30,205,517,824 bytes free
Post-Run: 30,169,444,352 bytes free

- - End Of File - - E7B783112F4960EB65B053A0D94B1E11


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:20 AM, on 12/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5558 bytes



Earl C. Werntz

#23 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 10 December 2009 - 11:14 AM

Combo-Fix says that I still have Windows Livw OneCare on my computer, but, I removed it a while ago. How can I get it off my computer for good?

Download the Microsoft Live ONeCare Remover from here:
http://download.micr...CareCleanUp.exe
Save the file to your Desktop.
Double-click OneCareCleanUp.exe to run to tool

When you ran ComboFix, did you install the Recovery Console? I don't see it in the log.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#24 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 10 December 2009 - 12:35 PM

Combo-Fix was run once before on this machine. Recovery was installed then.
I ran the Live OneCare removal tool and still when I ran the Combo-Fix program it shows up that it is still scanning. Now what?
I ran Cobo0fix again. Here is the report.

ComboFix 09-12-09.04 - Earl 12/10/2009 13:22:41.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.644 [GMT -5:00]
Running from: c:\program files\Earl\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer
2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\Earl\Local Settings\Application Data\PDF Writer
2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\Earl\Application Data\PDF Writer
2009-12-04 19:28 . 2009-11-28 19:37 6144 ----a-w- c:\windows\system32\BioPdf.PdfWriter.Lib.dll
2009-12-04 19:28 . 2009-12-04 19:28 -------- d-----w- c:\program files\Common Files\Bullzip
2009-12-04 19:28 . 2009-09-10 20:33 131072 ----a-w- c:\windows\system32\bzpdfc.dll
2009-12-04 19:28 . 2008-10-31 03:15 227840 ----a-w- c:\windows\system32\bzFlRdr.dll
2009-12-04 19:28 . 2008-07-10 04:19 103424 ----a-w- c:\windows\system32\bzDCT.dll
2009-12-04 19:28 . 2009-04-22 23:53 194560 ----a-w- c:\windows\system32\bzpdf.dll
2009-12-04 19:28 . 2009-12-04 19:28 -------- d-----w- c:\program files\Bullzip
2009-12-02 14:44 . 2009-12-02 14:46 -------- d-----w- c:\documents and settings\Earl\Application Data\GetRightToGo
2009-12-02 13:28 . 2009-12-02 13:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-25 19:43 . 2009-11-25 19:43 -------- d-----w- c:\program files\Java
2009-11-25 19:06 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-25 19:06 . 2009-11-25 19:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-25 19:04 . 2009-11-25 19:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-25 19:04 . 2009-11-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-24 19:58 . 2009-11-24 20:00 -------- dc-h--w- c:\windows\ie8
2009-11-24 19:03 . 2007-08-13 23:52 66048 ----a-w- c:\windows\ieResetIcons.exe
2009-11-24 17:46 . 2009-11-25 08:17 -------- d-----w- c:\program files\Citrix
2009-11-23 21:04 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-23 21:04 . 2009-12-07 20:51 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 21:04 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-23 21:04 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-23 21:04 . 2009-11-23 21:04 -------- d-----w- c:\program files\Avira
2009-11-23 21:04 . 2009-11-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-23 20:48 . 2009-11-23 20:48 -------- d-----w- C:\WINSSLog
2009-11-23 19:55 . 2009-11-23 19:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 17:06 . 2009-11-23 17:06 -------- d-----w- C:\$AVG
2009-11-23 17:06 . 2009-11-23 17:06 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-11-23 17:06 . 2009-11-23 17:08 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2009-11-23 17:05 . 2009-11-23 17:05 -------- d-----w- c:\program files\AVG
2009-11-23 17:05 . 2009-11-23 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 18:20 . 2009-01-03 23:40 -------- d-----w- c:\program files\Earl
2009-12-09 02:12 . 2008-12-29 01:43 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 14:24 . 2009-11-07 17:56 -------- d-----w- c:\program files\MyDefrag v4.2.5
2009-12-03 17:06 . 2009-10-16 22:46 -------- d-----w- c:\documents and settings\Earl\Application Data\Digital Support
2009-12-03 17:05 . 2009-01-10 19:24 -------- d-----w- c:\program files\Google
2009-12-01 18:05 . 2008-12-04 01:02 -------- d-----w- c:\program files\Rose
2009-11-25 21:25 . 2008-12-13 18:22 2180 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 19:43 . 2008-12-26 02:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 19:08 . 2008-12-03 23:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-24 19:05 . 2009-10-15 01:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-24 19:05 . 2009-10-15 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-24 17:46 . 2009-10-11 20:22 108920 ----a-w- c:\documents and settings\HelpAssistant.PREMIO18G\g2ax_customer_downloadhelper_win32_x86.exe
2009-11-24 17:46 . 2009-01-27 20:50 108920 ----a-w- c:\documents and settings\Earl\g2ax_customer_downloadhelper_win32_x86.exe
2009-10-31 13:31 . 2009-11-07 17:56 926720 ----a-w- c:\windows\system32\MyDefragScreenSaver.exe
2009-10-29 07:45 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 14:58 . 2009-11-07 17:56 93696 ----a-w- c:\windows\system32\MyDefragScreenSaver.scr
2009-10-27 21:46 . 2008-11-22 18:35 37880 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-24 14:50 . 2008-11-22 19:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-24 14:35 . 2009-10-24 14:35 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-24 11:28 . 2009-01-05 20:53 1044 ----a-w- c:\documents and settings\Earl\Application Data\wklnhst.dat
2009-10-23 23:59 . 2009-10-23 23:57 7532 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-23 23:59 . 2009-10-23 23:57 550944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-23 02:09 . 2009-10-23 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-23 00:45 . 2009-10-23 00:45 -------- d-----w- c:\program files\NETGEAR
2009-10-23 00:45 . 2008-12-04 00:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 03:42 . 2008-12-29 15:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-22 00:17 . 2009-10-22 00:17 0 ----a-w- c:\windows\IntIgn0xF28456.dat
2009-10-21 19:50 . 2008-12-29 15:39 -------- d-----w- c:\program files\MSN Games
2009-10-21 18:31 . 2009-10-21 18:30 -------- d-----w- c:\documents and settings\Earl\Application Data\MissTeriTale3
2009-10-21 18:01 . 2008-12-29 15:39 -------- d-----w- c:\program files\Oberon Media
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 20:10 . 2009-01-03 23:44 -------- d-----w- c:\program files\Games
2009-10-15 17:23 . 2008-12-11 20:49 1 ----a-w- c:\documents and settings\Earl\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-15 04:10 . 2008-11-22 19:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-15 02:34 . 2008-12-28 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 02:34 . 2008-12-28 16:14 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-15 01:10 . 2009-10-15 01:10 -------- d-----w- c:\program files\Trend Micro
2009-10-13 14:51 . 2009-10-13 12:52 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-10-13 13:50 . 2009-01-06 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 07:01 . 2009-07-15 19:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-11 20:11 . 2009-04-16 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PoBros
2009-10-11 20:10 . 2009-09-22 23:36 -------- d-----w- c:\program files\NETGEAR(2)
2009-10-11 20:10 . 2008-12-04 00:02 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-11 20:10 . 2009-09-22 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-10-11 20:09 . 2009-09-26 01:20 -------- d-----w- c:\program files\PC Check-up
2009-10-11 20:07 . 2009-10-03 17:44 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-11 20:07 . 2009-10-03 17:44 -------- d-----w- c:\program files\AVS4YOU
2009-10-11 20:07 . 2009-10-05 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache(2)
2009-10-11 20:07 . 2009-10-11 20:07 -------- d-----w- c:\program files\Kuros
2009-10-11 20:07 . 2009-10-11 20:07 -------- d-----w- c:\program files\Legacy Interactive
.

((((((((((((((((((((((((((((( SnapShot_2009-12-09_14.33.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-10 18:16 . 2009-12-10 18:16 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AppPortal (Desktop-Integrated).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AppPortal (Desktop-Integrated).lnk
backup=c:\windows\pss\AppPortal (Desktop-Integrated).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 18:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 4:04 PM 108289]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/3/2008 7:03 PM 66048]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [10/22/2009 8:29 PM 167808]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [11/22/2008 1:23 PM 23153]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/22/2009 7:45 PM 13532]
S4 OcHealthMon;Windows Live OneCare Health Monitor; [x]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Earl\Application Data\Mozilla\Firefox\Profiles\oipm32ca.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 13:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4048)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-10 13:30:23
ComboFix-quarantined-files.txt 2009-12-10 18:30
ComboFix2.txt 2009-12-09 14:35
ComboFix3.txt 2009-12-07 14:01

Pre-Run: 30,161,633,280 bytes free
Post-Run: 30,128,951,296 bytes free

- - End Of File - - FB047A54B5220DADC4044C9646F6346F



Earl C. Werntz

#25 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 10 December 2009 - 04:57 PM

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

Save the file to your Desktop.

Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

Driver::
OcHealthMon
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

Please run HijackThis, click on "Open the Misc Tools section", and then on "Open Uninstall Manager". Click the "Save list" button, save the file uninstall_list.txt to your Desktop, and post the contents here for review.

Since you have the recovery console installed, reboot your system.
  • When you see the boot menu, select the Recovery Console instead of Windows.
  • When Recovery Console starts, it will prompt you to enter a number corresponding to the Windows XP installation that you need to repair. If you have only one operating system, enter 1 to select it.
  • Enter your Administrator password. If you don't enter the correct password, you cannot continue.
  • At the Recovery Console command prompt, type fixmbr and then verify that you want to proceed.
  • Then type exit and hit Enter to exit the Recovery Console and restart the system.
Please post a new HijackThis log, the contents of uninstall_list.txt, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#26 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 10 December 2009 - 06:42 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:56 PM, on 12/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227380504765
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5752 bytes


Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player
Avira AntiVir Personal - Free Antivirus
Bullzip PDF Printer 7.1.0.1078
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
GPL Ghostscript Lite 8.70
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Java™ 6 Update 17
KODAK Camera Connection Software
KODAK Camera Connection Software Help
KODAK Memory Albums
KODAK One Touch to Better Pictures
KODAK Picture Software
KODAK Picture Transfer Software
KODAK Software Updater
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.5)
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyDefrag v4.2.5
QuickBooks Pro 2002
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WG111v2 Configuration Utility
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11





Earl C. Werntz

#27 werntz

werntz

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 10 December 2009 - 06:55 PM

ComboFix 09-12-09.04 - Earl 12/10/2009 19:44:18.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.630 [GMT -5:00]
Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer
2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\Earl\Local Settings\Application Data\PDF Writer
2009-12-04 19:32 . 2009-12-04 19:32 -------- d-----w- c:\documents and settings\Earl\Application Data\PDF Writer
2009-12-04 19:28 . 2009-11-28 19:37 6144 ----a-w- c:\windows\system32\BioPdf.PdfWriter.Lib.dll
2009-12-04 19:28 . 2009-12-04 19:28 -------- d-----w- c:\program files\Common Files\Bullzip
2009-12-04 19:28 . 2009-09-10 20:33 131072 ----a-w- c:\windows\system32\bzpdfc.dll
2009-12-04 19:28 . 2008-10-31 03:15 227840 ----a-w- c:\windows\system32\bzFlRdr.dll
2009-12-04 19:28 . 2008-07-10 04:19 103424 ----a-w- c:\windows\system32\bzDCT.dll
2009-12-04 19:28 . 2009-04-22 23:53 194560 ----a-w- c:\windows\system32\bzpdf.dll
2009-12-04 19:28 . 2009-12-04 19:28 -------- d-----w- c:\program files\Bullzip
2009-12-02 14:44 . 2009-12-02 14:46 -------- d-----w- c:\documents and settings\Earl\Application Data\GetRightToGo
2009-12-02 13:28 . 2009-12-02 13:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-25 19:43 . 2009-11-25 19:43 -------- d-----w- c:\program files\Java
2009-11-25 19:06 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-25 19:06 . 2009-11-25 19:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-25 19:04 . 2009-11-25 19:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-25 19:04 . 2009-11-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-24 19:58 . 2009-11-24 20:00 -------- dc-h--w- c:\windows\ie8
2009-11-24 19:03 . 2007-08-13 23:52 66048 ----a-w- c:\windows\ieResetIcons.exe
2009-11-24 17:46 . 2009-11-25 08:17 -------- d-----w- c:\program files\Citrix
2009-11-23 21:04 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-23 21:04 . 2009-12-07 20:51 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 21:04 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-23 21:04 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-23 21:04 . 2009-11-23 21:04 -------- d-----w- c:\program files\Avira
2009-11-23 21:04 . 2009-11-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-23 20:48 . 2009-11-23 20:48 -------- d-----w- C:\WINSSLog
2009-11-23 19:55 . 2009-11-23 19:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 17:06 . 2009-11-23 17:06 -------- d-----w- C:\$AVG
2009-11-23 17:06 . 2009-11-23 17:06 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-11-23 17:06 . 2009-11-23 17:08 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2009-11-23 17:05 . 2009-11-23 17:05 -------- d-----w- c:\program files\AVG
2009-11-23 17:05 . 2009-11-23 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 00:06 . 2009-01-03 23:40 -------- d-----w- c:\program files\Earl
2009-12-09 02:12 . 2008-12-29 01:43 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 14:24 . 2009-11-07 17:56 -------- d-----w- c:\program files\MyDefrag v4.2.5
2009-12-03 17:06 . 2009-10-16 22:46 -------- d-----w- c:\documents and settings\Earl\Application Data\Digital Support
2009-12-03 17:05 . 2009-01-10 19:24 -------- d-----w- c:\program files\Google
2009-12-01 18:05 . 2008-12-04 01:02 -------- d-----w- c:\program files\Rose
2009-11-25 21:25 . 2008-12-13 18:22 2180 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 19:43 . 2008-12-26 02:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 19:08 . 2008-12-03 23:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-24 19:05 . 2009-10-15 01:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-24 19:05 . 2009-10-15 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-24 17:46 . 2009-10-11 20:22 108920 ----a-w- c:\documents and settings\HelpAssistant.PREMIO18G\g2ax_customer_downloadhelper_win32_x86.exe
2009-11-24 17:46 . 2009-01-27 20:50 108920 ----a-w- c:\documents and settings\Earl\g2ax_customer_downloadhelper_win32_x86.exe
2009-10-31 13:31 . 2009-11-07 17:56 926720 ----a-w- c:\windows\system32\MyDefragScreenSaver.exe
2009-10-29 07:45 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 14:58 . 2009-11-07 17:56 93696 ----a-w- c:\windows\system32\MyDefragScreenSaver.scr
2009-10-27 21:46 . 2008-11-22 18:35 37880 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-24 14:50 . 2008-11-22 19:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-24 14:35 . 2009-10-24 14:35 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-24 11:28 . 2009-01-05 20:53 1044 ----a-w- c:\documents and settings\Earl\Application Data\wklnhst.dat
2009-10-23 23:59 . 2009-10-23 23:57 7532 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-23 23:59 . 2009-10-23 23:57 550944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-23 02:09 . 2009-10-23 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-23 00:45 . 2009-10-23 00:45 -------- d-----w- c:\program files\NETGEAR
2009-10-23 00:45 . 2008-12-04 00:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 03:42 . 2008-12-29 15:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-22 00:17 . 2009-10-22 00:17 0 ----a-w- c:\windows\IntIgn0xF28456.dat
2009-10-21 19:50 . 2008-12-29 15:39 -------- d-----w- c:\program files\MSN Games
2009-10-21 18:31 . 2009-10-21 18:30 -------- d-----w- c:\documents and settings\Earl\Application Data\MissTeriTale3
2009-10-21 18:01 . 2008-12-29 15:39 -------- d-----w- c:\program files\Oberon Media
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 20:10 . 2009-01-03 23:44 -------- d-----w- c:\program files\Games
2009-10-15 17:23 . 2008-12-11 20:49 1 ----a-w- c:\documents and settings\Earl\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-15 04:10 . 2008-11-22 19:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-15 02:34 . 2008-12-28 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 02:34 . 2008-12-28 16:14 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-15 01:10 . 2009-10-15 01:10 -------- d-----w- c:\program files\Trend Micro
2009-10-13 14:51 . 2009-10-13 12:52 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-10-13 13:50 . 2009-01-06 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 07:01 . 2009-07-15 19:24 -------- d-----w- c:\program files\Microsoft Silverlight
.

((((((((((((((((((((((((((((( SnapShot_2009-12-09_14.33.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-11 00:38 . 2009-12-11 00:38 16384 c:\windows\Temp\Perflib_Perfdata_7dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AppPortal (Desktop-Integrated).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AppPortal (Desktop-Integrated).lnk
backup=c:\windows\pss\AppPortal (Desktop-Integrated).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 18:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 4:04 PM 108289]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/3/2008 7:03 PM 66048]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [10/22/2009 8:29 PM 167808]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [11/22/2008 1:23 PM 23153]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/22/2009 7:45 PM 13532]
S4 OcHealthMon;Windows Live OneCare Health Monitor; [x]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Earl\Application Data\Mozilla\Firefox\Profiles\oipm32ca.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 19:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-10 19:51:41
ComboFix-quarantined-files.txt 2009-12-11 00:51
ComboFix2.txt 2009-12-11 00:21
ComboFix3.txt 2009-12-10 18:30
ComboFix4.txt 2009-12-09 14:35
ComboFix5.txt 2009-12-11 00:43

Pre-Run: 30,121,242,624 bytes free
Post-Run: 30,086,082,560 bytes free

- - End Of File - - 0D1700D7EB3D123243876336E90D550A



Earl C. Werntz

#28 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 10 December 2009 - 08:20 PM

Your last run of ComboFix didn't do anything, there may have been an error running it, or creating the script file. We'll address that later.

For your Windows Live OneCare problem, the best way to remove it is to reinstall it, and then uninstall it, but you need to remove your present antivirus first.

Download the Windows Live OneCare Trial from here:
http://onecare.live....all/install.htm

If you don't have a copy of the Avira AntiVir Personal Free Antivirus available, download that now also from here:
http://www.free-av.com
  • Disconnect from the Internet (pull your connection cable).
  • Uninstall [b]Avira AntiVir Personal - Free Antivirus[/b from Control Panel's Add or Remove Programs.
  • Restart your system.
  • Double click on the Windows Live OneCare Trial (SetupOneCare.exe) that you downloaded.
  • Restart your system.
  • Uninstall Windows Live OneCare Trial from Control Panel's Add or Remove Programs.
  • Restart your system.
  • Reinstall Avira AntiVir Personal - Free Antivirus.
  • Reconnect to the Internet and update Avira AntiVir.
Please post a new HijackThis log.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#29 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 08 January 2010 - 05:12 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





Member of UNITE
Support SpywareInfo Forum - click the button