Explore.exe and services.exe virus - Windows XP...!!!

[Rezinus]

I think I have viruses on my PC and need assistance in removing them. They could be viruses still present from before re-installing OS.

Both explorer.exe and services.exe are running processes currently, and I believe they are viruses. My PC and internet are slowing to a crawl so I need help with removal ASAP!


Any help is greatly appreciated.

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[Rezinus]

SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/09/2010 at 04:42 PM

Application Version : 4.46.1000

Core Rules Database Version : 5981
Trace Rules Database Version: 3793

Scan type       : Complete Scan
Total Scan Time : 00:36:48

Memory items scanned      : 444
Memory threats detected   : 0
Registry items scanned    : 5434
Registry threats detected : 0
File items scanned        : 28896
File threats detected     : 83

Adware.Tracking Cookie
   C:\Documents and Settings\ADMIN\Cookies\admin@atdmt[2].txt
   C:\Documents and Settings\ADMIN\Cookies\admin@doubleclick[1].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt
   .doubleclick.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ru4.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ru4.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ru4.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .atdmt.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .atdmt.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .ru4.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .legolas-media.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .legolas-media.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .statcounter.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .content.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .dmtracker.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .smartadserver.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .smartadserver.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .smartadserver.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .smartadserver.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .smartadserver.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .imrworldwide.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .imrworldwide.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .content.yieldmanager.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .bs.serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .kontera.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .xiti.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .at.atwola.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .tacoda.at.atwola.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .tacoda.at.atwola.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .tacoda.at.atwola.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .tacoda.at.atwola.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .at.atwola.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .adbrite.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .adbrite.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .adbrite.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .adbrite.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .adbrite.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\cookies.sqlite ]

[Rezinus]

HJT:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:56:35 PM, on 12/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Desktop 9.6\waol.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\AOL Desktop 9.6\shellmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL Desktop 9.6\AOL.EXE" -b
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

--
End of file - 4831 bytes

[Rezinus]

MBAM:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5285

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2010 12:16:54 AM
mbam-log-2010-12-10 (00-16-54).txt

Scan type: Quick scan
Objects scanned: 124094
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SuperDave]

Hello and welcome to

Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
***************************************************

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
******************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[Rezinus]

Thanks for your assistance SuperDave-


When I ran the ComboFix it detected a rootkit, and restarted the PC just so you are aware.



CHECKUP.txt:

 Results of screen317's Security Check version 0.99.6 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 ESET NOD32 Antivirus   
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 TuneUp Utilities 2011   
 TuneUp Utilities Language Pack (en-US)
 TuneUp Utilities 2011   
 CCleaner     
 Java(TM) 6 Update 22 
 Adobe Flash Player 10.1.102.64 
Adobe Reader X
 Mozilla Firefox (3.6.12)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Malwarebytes' Anti-Malware mbamservice.exe 
````````````````````````````````
DNS Vulnerability Check:
 Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````





COMBOFIX - log.txt:

ComboFix 10-12-09.04 - ADMIN 12/10/2010  16:03:49.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.735.523 [GMT -8:00]
Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
 * Resident AV is active

.

(((((((((((((((((((((((((   Files Created from 2010-11-11 to 2010-12-11  )))))))))))))))))))))))))))))))
.

2010-12-03 21:34 . 2010-12-03 21:34   --------   d-----r-   C:\MSOCache
2010-12-03 03:23 . 2010-12-03 03:23   --------   d-----w-   C:\S3Graphics

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 20:23 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-25 45056]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-06-24 2202704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"AOL Fast Start"="c:\program files\AOL Desktop 9.6\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"AudioDeck"=c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HostManager"=c:\program files\Common Files\AOL\1291349301\ee\AOLSoftware.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1291349301\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/28/2010 8:17 AM 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/24/2010 9:27 AM 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6/24/2010 9:27 AM 810144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2010 11:18 AM 363344]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [11/23/2010 8:13 AM 1483072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2010 11:18 AM 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1078081533-1177238915-1003Core.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-04 06:48]

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1078081533-1177238915-1003UA.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-04 06:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 16:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1078081533-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-10  16:11:10
ComboFix-quarantined-files.txt  2010-12-11 00:11

Pre-Run: 69,800,243,200 bytes free
Post-Run: 70,012,657,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CA0AA24BB6F8925F85EF5B9EEF283636

[SuperDave]

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].

[Rezinus]

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F4226000
Module End: F423E000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7CF0000
Module End: F7CF2000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: F4438610
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwDebugActiveProcess
Address: F4438C10
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwDuplicateObject
Address: F4438730
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwOpenProcess
Address: F44384B0
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwOpenThread
Address: F4438570
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwProtectVirtualMemory
Address: F44386D0
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwQueueApcThread
Address: F4438790
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSetContextThread
Address: F4438690
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSetInformationThread
Address: F4438650
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSetSecurityObject
Address: F44387D0
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSuspendProcess
Address: F4438510
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSuspendThread
Address: F4438590
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwTerminateProcess
Address: F44384D0
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwTerminateThread
Address: F44385D0
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwWriteVirtualMemory
Address: F4438750
Driver Base: F4437000
Driver End: F4456000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: ADMIN:30606
Remote Address: LOCALHOST:1528
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:INGRESLOCK
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1518
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1516
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1514
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:WINS
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1510
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1506
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1504
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1502
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1500
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1498
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1496
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1492
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1490
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1468
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1448
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1444
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1442
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1440
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1438
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1436
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:MS-SQL-M
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1432
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1430
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1428
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: LOCALHOST:1426
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:30606
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: LISTENING

Local Address: ADMIN:5152
Remote Address: LOCALHOST:1033
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: ADMIN:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: ADMIN:1526
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1522
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1520
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1508
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1494
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1488
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1486
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1484
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1472
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1464
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1460
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1458
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1450
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1422
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1416
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1414
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1320
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1316
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1270
Remote Address: LOCALHOST:30606
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: ADMIN.SOCAL.RR.COM:1523
Remote Address: 24.143.195.66:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1521
Remote Address: 195.14.94.15:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1509
Remote Address: 64.225.158.189:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1495
Remote Address: 208.93.137.60:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1489
Remote Address: 64.225.158.189:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1485
Remote Address: 24.143.195.115:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1473
Remote Address: LAX04S01-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1465
Remote Address: 24.143.195.66:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1461
Remote Address: LAX04S01-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1459
Remote Address: LAX04S01-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1451
Remote Address: LAX04S01-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1447
Remote Address: 208.93.137.60:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1423
Remote Address: PV-IN-F113.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1417
Remote Address: NUQ04S01-IN-F100.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1415
Remote Address: NUQ04S01-IN-F100.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1321
Remote Address: PZ-IN-F113.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1317
Remote Address: 74.125.224.7:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:1271
Remote Address: LAX04S01-IN-F99.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ADMIN.SOCAL.RR.COM:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ADMIN:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ADMIN:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: ADMIN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADMIN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADMIN.SOCAL.RR.COM:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADMIN.SOCAL.RR.COM:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ADMIN.SOCAL.RR.COM:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ADMIN.SOCAL.RR.COM:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADMIN:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ADMIN:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ADMIN:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[SuperDave]

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
 

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Rezinus]

SuperDave -

My PC is running a little bit better than before but it isn't performing like it has before.

As for the ESET, the scan did not find any infected files.



What should I do from here?
Also, I am running XP and want to upgrade. Are all threats removed, and am I able to install/upgrade my OS without worry?
Thanks again for the help, and I will await your response.

[SuperDave]

What should I do from here?
Also, I am running XP and want to upgrade. Are all threats removed, and am I able to install/upgrade my OS without worry?

If you're going to upgrade you OS, I would suggest that you do a re-format first. Then you will know that you're starting with a clean slate. Of course, you will need to back up your important data. I'm confident that your computer is clean but a re-format will make it doubly- sure. Please let me know your intentions. I you want to keep this present OS for some time, we should do some clean up of all the tools we used.

[Rezinus]

Thanks SuperDave -

As of right now my PC is still not running as optimally as I would like. Would a re-format/re-install solve my issues?

I would like to have my PC running optimally before installing OS if possible, as well. (All malware/viruses removed, running smooth etc.)
As far as my current OS, I will likely keep it at least another couple weeks or until I am confident my PC is in prime condition for an OS installation. I could use your help if possible.



Also,
I appreciate your help, and I wouldn't mind sending you a donation for your time and help if you would like.

[SuperDave]

Would a re-format/re-install solve my issues?

Yes, a complete format will clean everything. Then you will just have to install your new OS and you're back in business.

To wipe the drive clean, reformat and reinstall the OS.

The computer will only run as well as the hardware that's inside it. If your computer does not have a dual core or a high rate of speed, it will only run so-so with your new OS. You should have 1 Ghz or faster. The same goes for the amount of RAM that you have. You should have at least 2 gb to run Vista and Windows 7. The MS site states 1 Gb of RAM but I think, this is the minimum.

I appreciate your help, and I wouldn't mind sending you a donation for your time and help if you would like.

"And last but not least, please remember after you have left the World of Despair you were in, a simple Thank You to the Experts is always a nice touch.  If we've helped, feel free to recommend us."

[Rezinus]

I just have a couple questions before I install.


As for the SUPERAntiSpyware files detected, are they removed completely?
Of those detected the following are still present in quarantine:

   C:\Documents and Settings\ADMIN\Cookies\admin@atdmt[2].txt
   C:\Documents and Settings\ADMIN\Cookies\admin@doubleclick[1].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt





Also, when I re-installed my current XP I tried installing the driver for my Ethernet adapter but received the message "cannot find any inf files".
Another member here mentioned this could be due to a bad CD-ROM drive. Is there any way to tell before installing again so I don't encounter this same issue? And is it it necessary to back up anything other than personal files, such as drivers?

[SuperDave]

As for the SUPERAntiSpyware files detected, are they removed completely?
Of those detected the following are still present in quarantine:

   C:\Documents and Settings\ADMIN\Cookies\admin@atdmt[2].txt
   C:\Documents and Settings\ADMIN\Cookies\admin@doubleclick[1].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt

You can delete them but if you do a complete reformat, they will be removed.

Also, when I re-installed my current XP I tried installing the driver for my Ethernet adapter but received the message "cannot find any inf files".
Another member here mentioned this could be due to a bad CD-ROM drive. Is there any way to tell before installing again so I don't encounter this same issue? And is it it necessary to back up anything other than personal files, such as drivers?
 

If you're installing a new OS, all the necessary drivers will be installed.

[Rezinus]

Sounds good.

And thanks again for your kind help!

[Rezinus]

...

[Rezinus]

SuperDave -

My PC is running fairly well now, however I ran ComboFix again and it said it detected the same rootkit activity. Is this normal?


I am going to keep this OS for now as well as it is running smoother.
Can you assist me with resting my configurations etc.? My Malwarebytes' won't autostart, and I am still getting a recovery console boot screen that I would like to remove if possible.

[SuperDave]

I ran ComboFix again and it said it detected the same rootkit activity. Is this normal?

Please post the log.

My Malwarebytes' won't autostart

The free version won't autostart. You have to initiate the scans yourself. Only the paid version if full-time protection.

recovery console boot screen that I would like to remove if possible

I'm not sure what you mean by this.

[Rezinus]

When I first downloaded ComboFix, it asked to install a recovery console which added an extra screen at startup that appears for 2 seconds, then continues to boot normally.


Also, I have a boot.bak file in my C:\ drive folder which wasn't there before. Is it necessary, and how do I get rid of it?


Here is the latest combofix log:

ComboFix 10-12-13.02 - ADMIN 12/13/2010  20:43:30.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.735.526 [GMT -8:00]
Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
 * Resident AV is active

.

(((((((((((((((((((((((((   Files Created from 2010-11-14 to 2010-12-14  )))))))))))))))))))))))))))))))
.

2010-12-03 21:34 . 2010-12-03 21:34   --------   d-----r-   C:\MSOCache
2010-12-03 03:23 . 2010-12-03 03:23   --------   d-----w-   C:\S3Graphics

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 20:23 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-25 45056]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-06-24 2202704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2010-11-24 19:40   42320   ----a-w-   c:\program files\AOL Desktop 9.6\aol.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"AOL Fast Start"="c:\program files\AOL Desktop 9.6\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"AudioDeck"=c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HostManager"=c:\program files\Common Files\AOL\1291349301\ee\AOLSoftware.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1291349301\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/28/2010 8:17 AM 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/24/2010 9:27 AM 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6/24/2010 9:27 AM 810144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2010 11:18 AM 363344]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [11/23/2010 8:13 AM 1483072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2010 11:18 AM 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1078081533-1177238915-1003Core.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-04 06:48]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1078081533-1177238915-1003UA.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-04 06:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1078081533-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-13  20:50:07
ComboFix-quarantined-files.txt  2010-12-14 04:50

Pre-Run: 70,897,635,328 bytes free
Post-Run: 70,916,878,336 bytes free

- - End Of File - - 1DB66DA4F8A3240708A0E2400D8D0321

[SuperDave]

however I ran ComboFix again and it said it detected the same rootkit activity.

There is no sign of rootkit activity in any of the scans we did.

it asked to install a recovery console which added an extra screen at startup that appears for 2 seconds,

This is the way it's supposed to work. It's there to allow you to use the Recovery Console to make repairs to your computer. If you have your OS disk, you can remove the Recovery Console by following these instructions.

I have a boot.bak file in my C:\ drive folder which wasn't there before

I don't see it in the ComboFix log. Perhaps this scan will find it.

Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[Rezinus]

I have tried to do the steps for removing Recovery Console without any luck.

I tried attach a screenshot for you to see the object  boot.bak but the file was too large.



Here is the log for DDS.txt:


DDS (Ver_10-12-12.02) - NTFSx86 
Run by ADMIN at 12:29:59.17 on Thu 12/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.735.335 [GMT -8:00]

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\ADMIN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTPreset] VTPreset.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\8ymy8l6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-4-28 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-6-24 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-6-24 810144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-14 363344]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-11-23 1483072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-14 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-12-14 27064]

=============== Created Last 30 ================

2010-12-15 23:20:35   --------   d-----w-   c:\program files\Windows Media Connect 2
2010-12-15 04:21:54   421888   ----a-w-   c:\windows\system32\ac3filter.acm
2010-12-15 04:21:46   --------   d-----w-   c:\program files\XP Codec Pack
2010-12-15 00:45:58   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 00:45:53   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-12-15 00:45:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-12-15 00:25:36   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\VS Revo Group
2010-12-15 00:25:25   27064   ----a-w-   c:\windows\system32\drivers\revoflt.sys
2010-12-15 00:25:22   --------   d-----w-   c:\program files\VS Revo Group
2010-12-14 23:37:39   --------   d-----w-   c:\documents and settings\admin\Shared
2010-12-14 23:37:39   --------   d-----w-   c:\documents and settings\admin\Incomplete
2010-12-14 23:36:54   --------   d-----w-   c:\docume~1\admin\applic~1\MP3Rocket
2010-12-14 23:36:52   --------   d-----w-   c:\program files\MP3 Rocket
2010-12-14 22:06:36   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-12-14 00:26:37   --------   d-----w-   c:\windows\system32\appmgmt
2010-12-13 20:42:23   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-12-11 00:03:49   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\ESET
2010-12-10 23:56:54   --------   d-sha-r-   C:\cmdcons
2010-12-09 23:50:01   --------   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-09 23:50:01   --------   d-----w-   c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2010-12-09 23:49:36   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-12-08 23:10:15   --------   d-----w-   c:\program files\Lavalys
2010-12-04 06:48:11   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Google
2010-12-03 21:43:27   33104   ----a-w-   c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2010-12-03 21:43:27   32592   ----a-w-   c:\windows\system32\msonpmon.dll
2010-12-03 21:35:59   --------   d-----w-   c:\windows\SHELLNEW
2010-12-03 21:35:30   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Microsoft Help
2010-12-03 19:18:32   --------   d-----w-   c:\docume~1\admin\applic~1\Malwarebytes
2010-12-03 19:18:22   --------   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-03 18:39:44   --------   d-----w-   c:\windows\system32\LogFiles
2010-12-03 07:31:43   --------   d-----w-   c:\program files\Windows Media Player 11
2010-12-03 06:24:15   --------   d-----w-   c:\windows\ie8updates
2010-12-03 06:23:23   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-12-03 06:18:04   602112   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-12-03 06:18:04   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-03 06:18:02   247808   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2010-12-03 06:18:02   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2010-12-03 06:18:00   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll
2010-12-03 06:17:59   1991680   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-12-03 06:17:50   11080704   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2010-12-03 06:13:09   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-12-03 06:07:35   2146304   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-12-03 06:07:34   2189952   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2010-12-03 06:07:32   2024448   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-12-03 06:07:23   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2010-12-03 06:04:42   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-12-03 06:04:42   272128   ------w-   c:\windows\system32\drivers\bthport.sys
2010-12-03 06:01:33   --------   d-----w-   c:\windows\system32\PreInstall
2010-12-03 06:01:31   --------   d--h--w-   c:\windows\$hf_mig$
2010-12-03 05:47:17   --------   d-----w-   c:\program files\ESET
2010-12-03 05:44:39   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Temp
2010-12-03 05:30:21   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Adobe
2010-12-03 05:13:42   --------   d-----w-   c:\program files\CCleaner
2010-12-03 04:57:02   --------   d-----w-   c:\program files\Defraggler
2010-12-03 04:31:43   31552   ----a-w-   c:\windows\system32\TURegOpt.exe
2010-12-03 04:31:42   29504   ----a-w-   c:\windows\system32\uxtuneup.dll
2010-12-03 04:31:33   --------   d-----w-   c:\docume~1\admin\applic~1\TuneUp Software
2010-12-03 04:31:25   --------   d-----w-   c:\program files\TuneUp Utilities 2011
2010-12-03 04:30:46   --------   d-----w-   c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-12-03 04:30:10   --------   d-sh--w-   c:\docume~1\alluse~1\applic~1\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2010-12-03 04:09:51   --------   d-----w-   c:\docume~1\admin\applic~1\AOL
2010-12-03 04:09:24   58696   ----a-w-   c:\windows\system32\AOLParconLink.exe
2010-12-03 04:08:47   33588   ----a-r-   c:\windows\system32\drivers\wanatw4.sys
2010-12-03 04:08:35   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\AOL
2010-12-03 04:08:15   --------   d-----w-   c:\program files\common files\AOL
2010-12-03 04:08:14   --------   d-----w-   c:\program files\common files\aolshare
2010-12-03 04:08:14   --------   d-----w-   c:\program files\AOL Desktop 9.6
2010-12-03 04:01:34   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-03 04:01:34   472808   ----a-w-   c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-03 03:51:11   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-12-03 03:39:36   207488   ----a-r-   c:\windows\system32\drivers\vinyl97.sys
2010-12-03 03:29:34   331184   ------w-   c:\windows\system32\difxapi.dll
2010-12-03 03:29:34   --------   d-----w-   c:\program files\VIA
2010-12-03 03:28:11   --------   d-----w-   c:\windows\system32\SoftwareDistribution
2010-12-03 03:25:45   --------   d-----w-   c:\windows\system32\ReinstallBackups
2010-12-03 03:25:41   --------   d-----w-   c:\program files\S3
2010-12-03 03:23:53   306688   ----a-w-   c:\windows\IsUninst.exe
2010-12-03 03:23:44   --------   d-----w-   c:\documents and settings\admin\WINDOWS
2010-12-03 03:23:42   --------   d-----w-   C:\S3Graphics
2010-12-03 03:18:38   --------   d-----w-   c:\program files\Driver-Soft
2010-12-03 03:03:33   --------   d-sh--w-   c:\documents and settings\admin\IECompatCache
2010-12-03 03:02:33   --------   d-sh--w-   c:\documents and settings\admin\PrivacIE
2010-12-03 03:01:03   --------   d-sh--w-   c:\documents and settings\admin\IETldCache

==================== Find3M  ====================

2010-11-24 19:40:53   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2010-11-24 19:40:53   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2010-11-18 18:12:44   81920   ----a-w-   c:\windows\system32\isign32.dll
2010-11-06 00:26:58   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-11-06 00:26:58   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54   385024   ----a-w-   c:\windows\system32\html.iec
2010-10-28 13:13:22   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-10-26 13:25:00   1853312   ----a-w-   c:\windows\system32\win32k.sys
2010-09-18 20:23:26   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53:25   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53:25   953856   ----a-w-   c:\windows\system32\mfc40u.dll

============= FINISH: 12:31:09.81 ===============





Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/2/2010 6:30:51 PM
System Uptime: 12/16/2010 7:30:36 AM (5 hours ago)

Motherboard:   |  | P4M266A-8235
Processor:               Intel(R) Pentium(R) 4 CPU 2.40GHz | Socket 478 | 2405/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 64.175 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: EPSON Scanner
Device ID: USB\VID_04B8&PID_0839&MI_00\6&296D8F17&0&0000
Manufacturer:
Name: EPSON Scanner
PNP Device ID: USB\VID_04B8&PID_0839&MI_00\6&296D8F17&0&0000
Service:

==== System Restore Points ===================

RP1: 12/13/2010 9:07:18 PM - System Checkpoint
RP2: 12/14/2010 2:00:23 PM - Removed Java(TM) 6 Update 22
RP3: 12/14/2010 2:06:14 PM - Installed Java(TM) 6 Update 23
RP4: 12/14/2010 2:47:49 PM - Software Distribution Service 3.0
RP5: 12/14/2010 4:35:29 PM - Revo Uninstaller Pro's restore point - Ask Toolbar
RP6: 12/14/2010 4:36:03 PM - Removed Ask Toolbar.
RP7: 12/14/2010 4:36:33 PM - Revo Uninstaller Pro's restore point - Malwarebytes' Anti-Malware
RP8: 12/15/2010 3:17:31 PM - Software Distribution Service 3.0
RP9: 12/15/2010 3:53:23 PM - Software Distribution Service 3.0
RP10: 12/15/2010 3:59:34 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
AOL Uninstaller (Choose which Products to Remove)
CCleaner
Defraggler
Driver Genius Professional Edition
ESET NOD32 Antivirus
EVEREST Ultimate Edition v5.50
Google Chrome
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Java Auto Updater
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Mozilla Firefox (3.6.12)
MP3 Rocket
Platform
ProSavageDDR and Utilities
Revo Uninstaller Pro 2.5.0
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SUPERAntiSpyware
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Winrar 3.93
XP Codec Pack

==== Event Viewer Messages From Past Week ========

12/15/2010 3:21:17 PM, error: Windows Update Agent [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Media Player 11.
12/15/2010 3:02:00 PM, error: SideBySide [59]  - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
12/15/2010 3:02:00 PM, error: SideBySide [59]  - Generate Activation Context failed for C:\Program Files\MP3 Rocket\lib\jacob-1.14.1-x86.dll. Reference error message: The operation completed successfully. .
12/15/2010 3:02:00 PM, error: SideBySide [32]  - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

==== End Of File ===========================

[SuperDave]

I can't see anything amiss in the logs.

Download Dr.Web CureIt to the desktop:
Dr WebCureIt

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, just let it cure whatever it finds...

  o Now, go to Settings >> Change Settings
  o Go to Actions tab >> under Objects section, change the settings to below
  Infected objects - Cure
  Incurable objects - Report
  Suspicious objects - Report
  o Don't change any other settings

• Start the scan again. This time, choose Complete Scan
  
• Click the green arrow button at the right, and the scan will start.
• After the scan finished, click Select all
  
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
  

[Rezinus]

SuperDave -

I wasn't able to open the link provided, is there an alternative download location?
Thanks

[SuperDave]

Sorry. Try this one.

Download Dr.Web CureIt to the desktop:
Dr WebCureIt

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, just let it cure whatever it finds...

  o Now, go to Settings >> Change Settings
  o Go to Actions tab >> under Objects section, change the settings to below
  Infected objects - Cure
  Incurable objects - Report
  Suspicious objects - Report
  o Don't change any other settings

• Start the scan again. This time, choose Complete Scan
  
• Click the green arrow button at the right, and the scan will start.
• After the scan finished, click Select all
  
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
  

[Rezinus]

SuperDave -

That link didn't work for me either.

[SuperDave]

That link didn't work for me either.

Darn! I even tried it before I posted it and it worked.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Rezinus]

SuperDave -

I have ESET NOD32 installed on my PC. Can I do a scan with that, or should I use the link you provided?

Also, how do I remove DDS from my desktop? Do I just delete it?
Thanks
Rez

[SuperDave]

Also, how do I remove DDS from my desktop? Do I just delete it?

Yes. Any program on your desktop can just be deleted.
I would prefer that you use the ESET on-line scan as it is better because it's working from the outside.
It has come to my attention that you are currently seeking help at GeekPolice.net in this thread for the same computer and the same problem. This is not a very effective way to have your computer cleaned because I have no idea which tools the other helper told you to run and he has no idea which ones I asked you to use with possible disasterous results. This is one of the unwritten rules in malware cleaning.

[Rezinus]

SuperDave -
My apologies. My intentions were to get assistance ASAP as I posted both threads around the same time.
On the other forum I only posted logs from the scans that you had initially requested. I did not perform any other tasks other than what you requested in this thread other than running ComboFix a second time which I mentioned to you earlier.


I ran the ESET Online scanner which came up with 0 infected files.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=1d92e26ce77ca64a80a4315df6e3171a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-25 12:45:00
# local_time=2010-12-24 04:45:00 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8199 39157077 100 100 0 15747384 0 0
# scanned=38450
# found=0
# cleaned=0
# scan_time=3739
# nod_component=V3 Build:0x30000000

[SuperDave]

You really should advise Belahzur that you're finished with the thread on GeekPolice.net.
Ok. Where are we now? Everything looks good from this end.