Asistence required

Started by Mithrandirxx, July 23, 2010, 01:59:31 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

Corrine

#15
July 23, 2010, 07:27:06 PM


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Mithrandirxx

#16
July 23, 2010, 07:31:23 PM
Well No worries on the BB coding, BB coding is the bane of all, myself included. I did figure that issue out, However it seems either the program in question  is either broken at the source, Hates the Mountain time zone or Dislikes my household...nor sure why but it refuses to start when clicked the program throws a lovely little fit about encountering a problem and needing to close.  I hunted for the program to see if it was simply the Sevenforums one that glitched but it seems to be all variations from fileden, to Majorgeeks.
"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Mithrandirxx

#17
July 24, 2010, 12:39:07 PM
Well after trying and trying to get SF IE restorer to work, we have an epic fail. I even removed net frame 3.5 and reinstalled it and I still cannot get SF IE Restorer to work.  It continues to claim that it has encountered an error and must close. So if theres a slower way or an alternative program or another copy of SF IE somewhere where it might work, That would be great because atleast all 9 copies I've downloaded seem to fail on attempting to open. 
"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Mithrandirxx

#18
July 24, 2010, 03:16:37 PM
Malwarebytes Logs

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4338

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/22/2010 11:01:53 AM
mbam-log-2010-07-22 (11-01-53).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 195727
Time elapsed: 3 hour(s), 25 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7N95EXKO\qkl4Cix7f4XUCs8MTQ1fGRvd25sb2FkfA==18k[1].gif (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\Programs\Todd's Stuff\Wamn\ERDNTWIN.OVL (Trojan.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wintybrd.png (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wintybrdf.jpg (Malware.Trace) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4338

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/22/2010 7:32:49 AM
mbam-log-2010-07-22 (07-32-49).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 27814
Time elapsed: 13 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Mithrandirxx

#19
July 24, 2010, 05:28:45 PM
Judging by what you told me to do with that program, I hunted down Run commands, "Netsh Int Ip RestC;/Resetlog.txt " "Ip Config Flush DNS" and a program called WinsockxpFix.exe from major geeks. These seem to have atleast made the computer have a more stable footing online.  If you would like I can re-run the scans and post the logs.
"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Corrine

#20
July 24, 2010, 07:15:40 PM
Hi, Mithrandirxx.

Are you sure you need my help?  LOL  Good job.  Although it is supposed to work on XP, it appears SF IE Restorer isn't the best option.

After looking at the results of the MBAM logs, I think we need to bring in the big guns, so to speak, and see what that gives us.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:

  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click "Yes" to continue scanning for malware.

  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Mithrandirxx

#21
July 24, 2010, 08:18:25 PM
Corrine, if anything can be said about me running leg work, its just that I hate being kept from sleeping by the evil person who owns this machine.  That and in the time since I found landzdown I've learned a lot from you all. Yay for Combofix! Well lets start with Combofix Log first


ComboFix 10-07-23.04 - Administrator 07/24/2010  13:47:25.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2015.1514 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~WRD0000.tmp
c:\program files\Search Enhancer Toolbar
c:\windows\mdll.dl
c:\windows\settings.reg
c:\windows\system32\Data

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


(((((((((((((((((((((((((   Files Created from 2010-06-24 to 2010-07-24  )))))))))))))))))))))))))))))))
.

2010-07-24 16:45 . 2010-07-24 19:47   --------   d-----w-   c:\windows\system32\CatRoot2
2010-07-24 16:06 . 2010-07-24 16:06   --------   d-----w-   c:\program files\Common Files\Java
2010-07-24 16:05 . 2010-06-22 10:36   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-24 11:18 . 2010-07-24 11:18   171400   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-24 11:17 . 2010-07-24 11:17   --------   d-----w-   c:\program files\MSBuild
2010-07-24 11:17 . 2010-07-24 11:17   --------   d-----w-   c:\windows\system32\XPSViewer
2010-07-23 13:54 . 2010-07-23 13:54   0   ----a-w-   c:\documents and settings\Administrator\settings.dat
2010-07-23 13:41 . 2010-07-23 13:43   --------   d-----w-   C:\rsit
2010-07-23 13:40 . 2010-07-23 13:40   --------   d-----w-   c:\program files\ERUNT
2010-07-23 13:30 . 2010-07-23 13:43   --------   d-----w-   c:\program files\Trend Micro
2010-07-23 04:39 . 2010-07-23 04:41   --------   dc-h--w-   c:\windows\ie8
2010-07-22 13:58 . 2010-07-22 14:01   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-07-22 13:23 . 2010-07-22 21:59   --------   d-----w-   c:\program files\Emsisoft Anti-Malware
2010-07-22 13:18 . 2010-07-22 13:18   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-22 13:17 . 2010-04-29 21:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 13:17 . 2010-07-22 13:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-22 13:17 . 2010-07-22 13:17   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-22 13:17 . 2010-04-29 21:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-21 00:26 . 2010-07-24 18:09   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-15 14:39 . 2010-07-15 14:39   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-14 03:34 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-06-26 18:30 . 2010-06-26 18:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Trusteer
2010-06-26 18:30 . 2010-06-26 18:30   --------   d-----w-   c:\program files\Trusteer
2010-06-26 18:29 . 2010-06-26 18:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Trusteer

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 16:08 . 2010-07-24 16:08   503808   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7b3f211f-n\msvcp71.dll
2010-07-24 16:08 . 2010-07-24 16:08   499712   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7b3f211f-n\jmc.dll
2010-07-24 16:08 . 2010-07-24 16:08   348160   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7b3f211f-n\msvcr71.dll
2010-07-24 16:08 . 2010-07-24 16:08   12800   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7299c02a-n\decora-d3d.dll
2010-07-24 16:08 . 2010-07-24 16:08   61440   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7299c02a-n\decora-sse.dll
2010-07-24 16:05 . 2009-05-09 00:32   --------   d-----w-   c:\program files\Java
2010-07-24 15:19 . 2006-07-23 01:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 12:03 . 2006-07-22 00:47   77664   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-24 08:15 . 2006-07-23 01:32   --------   d-----w-   c:\documents and settings\Administrator\Application Data\WeatherBug
2010-07-23 13:30 . 2010-07-23 13:30   388096   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-21 14:33 . 2009-12-02 20:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-07-21 12:03 . 2010-07-21 12:03   1615200   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-21 12:03 . 2010-07-21 12:03   1373536   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 12:03 . 2010-07-21 12:03   1107296   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-21 12:03 . 2010-07-21 12:03   4368224   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-15 14:40 . 2010-07-15 14:40   242896   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 14:40 . 2010-07-15 14:40   216200   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 14:39 . 2008-05-24 12:53   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-15 14:38 . 2008-05-24 12:53   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-07-15 14:37 . 2010-07-15 14:37   1038688   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 14:37 . 2010-07-15 14:37   1690464   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 14:37 . 2010-07-15 14:37   813336   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 14:37 . 2010-07-15 14:37   624920   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-03 09:22 . 2009-03-30 18:58   --------   d-----w-   c:\program files\Opera
2010-07-01 18:07 . 2010-07-01 18:07   434176   ----a-w-   c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-27 00:57 . 2009-08-30 18:16   --------   d-----w-   c:\documents and settings\Administrator\Application Data\HpUpdate
2010-06-22 02:27 . 2010-06-22 02:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2010-06-22 02:27 . 2010-06-22 02:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2010-06-14 14:31 . 2006-07-22 00:25   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-08 19:11 . 2006-07-22 19:08   10   ----a-w-   c:\windows\popcinfo.dat
2010-06-08 17:04 . 2009-04-17 20:10   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-02 15:11 . 2007-02-04 01:01   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-02 05:22 . 2004-08-04 12:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2009-12-03 06:54 . 2009-12-03 06:54   21290704   ----a-w-   c:\program files\AdbeRdr708_en_US.exe
2006-08-19 20:37 . 2006-08-19 20:26   7050552   ----a-w-   c:\program files\psa30se_en_us.exe
2006-08-19 20:26 . 2006-08-19 20:25   762512   ----a-w-   c:\program files\ytb612_efgsip.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 23:52   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 23:52   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 23:52   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 14:39   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42   72208   ----a-w-   c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2009-12-03 23:52   670864   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 19:08   49208   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 22:44   3883856   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
2006-04-07 21:02   1343488   ----a-w-   c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/7/2009 7:08 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 6:53 AM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 6:53 AM 243024]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [7/21/2006 7:04 PM 13696]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [7/1/2010 12:07 PM 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/1/2010 12:07 PM 166632]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/22/2010 7:23 AM 1935120]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:39 AM 308136]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/1/2010 12:07 PM 840936]
R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/22/2010 7:23 AM 71008]
R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [3/20/2006 6:34 PM 1452032]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1029456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/22/2010 7:17 AM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 01:08]

2010-07-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]

2010-07-21 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-05-19 22:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yjivjoey.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{25875464-7327-417C-8264-902D99CF6FD1} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-MoraffMahJongg3_is1 - c:\program files\Moraff's Maximum MahJongg



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 13:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1965331169-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,7b,c2,ce,f3,a1,cf,47,bc,59,4f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,7b,c2,ce,f3,a1,cf,47,bc,59,4f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(5012)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-24  14:05:07 - machine was rebooted
ComboFix-quarantined-files.txt  2010-07-24 20:05

Pre-Run: 17,573,990,400 bytes free
Post-Run: 17,431,404,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E3E1F5B4B59B621565C3EA8607F555BB

HJT Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:17:23 PM, on 7/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153529458109
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay109.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O24 - Desktop Component 0: (no name) - http://by109fd.bay109.hotmail.msn.com/cgi-bin/saferd/scan%2ejpg?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e19%2e250%2fcgi%2dbin%2fgetmsg%2fscan%252ejpg&hm___qs=%26msg%3d43BECA18%2d7165%2d4807%2d9FBC%2dB1E0E0B701F3%26start%3d0%26len%3d1777096%26mimepart%3d5%26curmbox%3d00000000%2d0000%2d0000%2d0000%2d000000000001%26b%3d6a71425cb5b86ca8ae7d516e6f13a7fa%26disk%3d10%2e1%2e106%2e207_d1388%26login%3dantjudi%26domain%3dhotmail%252ecom%26_lang%3dEN%26country%3dUS&hm___cacheh=1&file=scan%2ejpg&domain=hotmail.com
O24 - Desktop Component 1: (no name) - http://www.peoplefinders.com/images/spacer.gif



"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Corrine

#22
July 24, 2010, 09:56:22 PM
Hi, Mithrandirxx.

You'll get a lot more sleep if the "evil person who owns that machine" keeps things updated, including third party software. 

Please update Adobe Reader.  The installed, vulnerable, version is Adobe Reader 8.2.2 and the current version is 9.33. http://get.adobe.com/reader/?promoid=BUIGO

Note:  Uncheck the "Free McAfee® Security Scan Plus" as it is not needed for the update.

I'm not seeing a software firewall installed. The following firewall programs are free for personal use.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select
RegLock::
HKEY_USERS\S-1-5-21-796845957-1965331169-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Registry::
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} -


  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

How is the computer running now?



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Mithrandirxx

#23
July 25, 2010, 01:59:25 PM
Sorry about the delay, After running the combofix +file alteration, the computers a little happier, although there does seem to be an excessive lag in doing mych of anything on here at the moment.  According to task manager there is an Image named "System" being run by system thats always staying precisely at 100,960k, which I think may be the issue with it running super slow or at least partly. However IE seems to be happier and windows updates are accessible. Although everytime IE starts it has a little pop=up that says my last session closed unexpectedly and would I like it to restore. Even when the last session of explorer I x'ed out of.  If you have any ideas about the  system thing on task manager or the IE pop-up I'd love to hear them. Thanks Corrine your a life (sleep) saver.
"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Mithrandirxx

#24
July 25, 2010, 02:57:45 PM
sorry missed the part about posting the log.


So here we go.


ComboFix 10-07-24.01 - Administrator 07/25/2010   2:46.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2015.1156 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\Extended Repairkit\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Emsisoft Anti-Malware *On-access scanning disabled* (Outdated) {0F8591BB-342B-4493-91C3-4E948ED21255}
.

(((((((((((((((((((((((((   Files Created from 2010-06-25 to 2010-07-25  )))))))))))))))))))))))))))))))
.

2010-07-25 03:46 . 2010-07-25 03:46   --------   d-----w-   c:\windows\system32\winrm
2010-07-25 03:46 . 2010-07-25 03:46   --------   dc-h--w-   c:\windows\$968930Uinstall_KB968930$
2010-07-25 03:26 . 2010-07-25 03:26   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-07-25 03:24 . 2010-07-25 03:25   --------   d-----w-   c:\program files\Windows Desktop Search
2010-07-25 03:24 . 2008-03-07 17:02   98304   -c----w-   c:\windows\system32\dllcache\nlhtml.dll
2010-07-25 03:24 . 2008-03-07 17:02   29696   -c----w-   c:\windows\system32\dllcache\mimefilt.dll
2010-07-25 03:24 . 2008-03-07 17:02   192000   -c----w-   c:\windows\system32\dllcache\offfilt.dll
2010-07-24 16:45 . 2010-07-25 08:45   --------   d-----w-   c:\windows\system32\CatRoot2
2010-07-24 16:08 . 2010-07-24 16:08   503808   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7b3f211f-n\msvcp71.dll
2010-07-24 16:08 . 2010-07-24 16:08   499712   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7b3f211f-n\jmc.dll
2010-07-24 16:08 . 2010-07-24 16:08   348160   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7b3f211f-n\msvcr71.dll
2010-07-24 16:08 . 2010-07-24 16:08   12800   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7299c02a-n\decora-d3d.dll
2010-07-24 16:08 . 2010-07-24 16:08   61440   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7299c02a-n\decora-sse.dll
2010-07-24 16:06 . 2010-07-24 16:06   --------   d-----w-   c:\program files\Common Files\Java
2010-07-24 16:05 . 2010-06-22 10:36   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-24 11:17 . 2010-07-24 11:17   --------   d-----w-   c:\program files\MSBuild
2010-07-24 11:17 . 2010-07-24 20:34   --------   d-----w-   c:\windows\system32\XPSViewer
2010-07-23 13:54 . 2010-07-23 13:54   0   ----a-w-   c:\documents and settings\Administrator\settings.dat
2010-07-23 13:41 . 2010-07-23 13:43   --------   d-----w-   C:\rsit
2010-07-23 13:40 . 2010-07-23 13:40   --------   d-----w-   c:\program files\ERUNT
2010-07-23 13:30 . 2010-07-23 13:43   --------   d-----w-   c:\program files\Trend Micro
2010-07-23 13:30 . 2010-07-23 13:30   388096   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-23 04:39 . 2010-07-23 04:41   --------   dc-h--w-   c:\windows\ie8
2010-07-22 13:58 . 2010-07-22 14:01   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-07-22 13:23 . 2010-07-22 21:59   --------   d-----w-   c:\program files\Emsisoft Anti-Malware
2010-07-22 13:18 . 2010-07-22 13:18   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-22 13:17 . 2010-04-29 21:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 13:17 . 2010-07-22 13:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-22 13:17 . 2010-07-22 13:17   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-22 13:17 . 2010-04-29 21:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-21 12:03 . 2010-07-21 12:03   1615200   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-21 12:03 . 2010-07-21 12:03   1373536   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 12:03 . 2010-07-21 12:03   1107296   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-21 12:03 . 2010-07-21 12:03   4368224   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-21 00:26 . 2010-07-24 18:09   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-15 14:40 . 2010-07-15 14:40   242896   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 14:40 . 2010-07-15 14:40   216200   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 14:39 . 2010-07-15 14:39   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-15 14:37 . 2010-07-15 14:37   1038688   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 14:37 . 2010-07-15 14:37   1690464   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 14:37 . 2010-07-15 14:37   813336   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 14:37 . 2010-07-15 14:37   624920   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-14 03:34 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-07-01 18:07 . 2010-07-01 18:07   434176   ----a-w-   c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-26 18:30 . 2010-06-26 18:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Trusteer
2010-06-26 18:30 . 2010-06-26 18:30   --------   d-----w-   c:\program files\Trusteer
2010-06-26 18:29 . 2010-06-26 18:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Trusteer

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 08:41 . 2006-07-22 00:47   77664   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-25 03:48 . 2009-10-21 22:33   --------   d-----w-   c:\program files\Microsoft.NET
2010-07-25 03:27 . 2006-07-24 16:03   --------   d-----w-   c:\program files\Common Files\Adobe
2010-07-24 16:05 . 2009-05-09 00:32   --------   d-----w-   c:\program files\Java
2010-07-24 15:19 . 2006-07-23 01:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 08:15 . 2006-07-23 01:32   --------   d-----w-   c:\documents and settings\Administrator\Application Data\WeatherBug
2010-07-21 14:33 . 2009-12-02 20:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-07-15 14:39 . 2008-05-24 12:53   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-15 14:38 . 2008-05-24 12:53   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-07-03 09:22 . 2009-03-30 18:58   --------   d-----w-   c:\program files\Opera
2010-06-27 00:57 . 2009-08-30 18:16   --------   d-----w-   c:\documents and settings\Administrator\Application Data\HpUpdate
2010-06-22 02:27 . 2010-06-22 02:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2010-06-22 02:27 . 2010-06-22 02:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2010-06-14 14:31 . 2006-07-22 00:25   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-08 19:11 . 2006-07-22 19:08   10   ----a-w-   c:\windows\popcinfo.dat
2010-06-08 17:04 . 2009-04-17 20:10   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-02 15:11 . 2007-02-04 01:01   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-06 10:41 . 2010-07-24 20:00   916480   ----a-w-   c:\windows\system32\SET655.tmp
2010-05-06 10:41 . 2010-07-24 20:00   1209344   ----a-w-   c:\windows\system32\SET656.tmp
2010-05-06 10:41 . 2010-07-24 20:00   5950976   ----a-w-   c:\windows\system32\SET659.tmp
2010-05-06 10:41 . 2010-07-24 20:01   25600   ----a-w-   c:\windows\system32\SET65D.tmp
2010-05-06 10:41 . 2010-07-24 20:01   599040   ----a-w-   c:\windows\system32\SET65C.tmp
2010-05-06 10:41 . 2010-07-24 20:01   55296   ----a-w-   c:\windows\system32\SET65B.tmp
2010-05-06 10:41 . 2010-07-24 20:00   184320   ----a-w-   c:\windows\system32\SET661.tmp
2010-05-06 10:41 . 2010-07-24 20:00   1985536   ----a-w-   c:\windows\system32\SET65F.tmp
2010-05-06 10:41 . 2010-07-24 20:00   11076096   ----a-w-   c:\windows\system32\SET662.tmp
2010-05-02 05:22 . 2004-08-04 12:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2009-12-03 06:54 . 2009-12-03 06:54   21290704   ----a-w-   c:\program files\AdbeRdr708_en_US.exe
2006-08-19 20:37 . 2006-08-19 20:26   7050552   ----a-w-   c:\program files\psa30se_en_us.exe
2006-08-19 20:26 . 2006-08-19 20:25   762512   ----a-w-   c:\program files\ytb612_efgsip.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 23:52   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 23:52   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 23:52   574096   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 14:39   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42   72208   ----a-w-   c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2009-12-03 23:52   670864   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 19:08   49208   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 22:44   3883856   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
2006-04-07 21:02   1343488   ----a-w-   c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/7/2009 7:08 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 6:53 AM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 6:53 AM 243024]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [7/21/2006 7:04 PM 13696]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [7/1/2010 12:07 PM 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/1/2010 12:07 PM 166632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:39 AM 308136]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/1/2010 12:07 PM 840936]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/22/2010 7:23 AM 1935120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/22/2010 7:23 AM 71008]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1029456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/22/2010 7:17 AM 38224]
S3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [3/20/2006 6:34 PM 1452032]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM   REG_MULTI_SZ      WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 01:08]

2010-07-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yjivjoey.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 02:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1965331169-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,7b,c2,ce,f3,a1,cf,47,bc,59,4f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,7b,c2,ce,f3,a1,cf,47,bc,59,4f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(27408)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2010-07-25  02:56:34
ComboFix-quarantined-files.txt  2010-07-25 08:56
ComboFix2.txt  2010-07-25 05:43
ComboFix3.txt  2010-07-24 20:05

Pre-Run: 15,821,451,264 bytes free
Post-Run: 15,804,928,000 bytes free

- - End Of File - - AEA9BD48F4D1989F93BBD83361C50358
"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Corrine

#25
July 25, 2010, 07:15:57 PM
Let's see what some cleanup does and then an online scan.

Download TFC by Old Timer from here (direct download):  http://www.itxassociates.com/OT-Tools/TFC.exe

  • First, save any files as TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
More info:
TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
-- TFC only cleans temp folders.
-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Next, please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Mithrandirxx

#26
July 26, 2010, 11:06:34 AM
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d02b3b8bad2d6649b76d669ba6f9586a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-26 10:36:42
# local_time=2010-07-26 04:36:42 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 20267224 20267224 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=73769
# found=2
# cleaned=0
# scan_time=4504
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe   probably a variant of Win32/Agent trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir   Win32/Olmarik.ZC trojan   00000000000000000000000000000000   I
"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Corrine

#27
July 26, 2010, 01:59:49 PM
Hi, Mithrandirxx.

If you are still seeing problems with IE not shutting down correctly, please run the Microsoft Fix it solution at http://support.microsoft.com/kb/318378.

Without additional information on the "system" item you referenced, I can't help there.

Other than that,  how is the computer now?



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Mithrandirxx

#28
July 26, 2010, 03:15:14 PM
Well the computer is running much better, I even got a letter from the evil owner Thanking us (you and I ) . As for the system Item I wish I had more information other than it shows up in taskmanager, and claims to be untouchable, changing the priority is against its will, killing it just to see if it will kill the computer doesn't even work, it just remains taking its 1000960k and does nothing I can track down.  However if the systems working and I am permitted to sleep then I think we are good. Thanks a million Corrine
"Those who are skilled in combat do not become angered, those who are skilled at winning do not become afraid. Thus the wise win before they fight, while the ignorant fight to win." Zhuge Liang

Corrine

#29
July 26, 2010, 07:14:45 PM
Please tell the evil owner that s/he is welcome. :)

As to the process, without more information, the only thing I can suggest is to use Process Monitor:  http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Kindly pass along to the evil owner (such a tag to live with :) ) that having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications installed, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications
Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages 1 2
User actions