Author Topic: Scan Results (Read 21716 times)

SuperDave · « **Reply #15 on:** April 18, 2011, 04:53:09 PM »

Sorry about that. Yes, AVG will have to be uninstalled. Please download and install one of the other free AV's from the list below. MicroSoft Security Essentials is the easiest one to work with. Next, run the AVG Removal Tool below to get rid of AVG. Then run the ComboFix scan.

Looking over your log it seems you don't have any antivirus software.

Before we continue download and install a free antivirus.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
****************************************************
AVG Antivirus Remover utility

darthgaul · « **Reply #16 on:** April 19, 2011, 01:05:29 AM »

ok that worked. I installed Microsoft Essentials. Here is the log:
ComboFix 11-04-18.02 - Admin 04/18/2011 23:53:35.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2328 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Adobe Systems
c:\documents and settings\All Users\Application Data\Adobe Systems\Product licenses\B2B86000.dat
c:\documents and settings\Matthew\WINDOWS
C:\LHTC.tmp
c:\program files\Bamboo Dock\Bamboo Dock\Bamboo Dock.exe
C:\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19 )))))))))))))))))))))))))))))))
.
.
2011-04-19 06:25 . 2011-04-19 06:25   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6F145977-E696-4293-96C0-6811DFE2C4F7}\MpKsl6736b89d.sys
2011-04-19 06:25 . 2011-04-11 07:04   7071056   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6F145977-E696-4293-96C0-6811DFE2C4F7}\mpengine.dll
2011-04-19 06:25 . 2010-10-19 20:51   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-04-19 06:23 . 2011-04-19 06:23   --------   d-----w-   c:\windows\LastGood
2011-04-19 06:22 . 2011-04-19 06:23   --------   d-----w-   c:\program files\Microsoft Security Client
2011-04-17 20:03 . 2011-04-17 20:03   --------   d-----w-   c:\program files\Ventrilo
2011-04-17 20:02 . 2011-04-17 20:02   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2011-04-16 04:41 . 2011-04-16 04:41   388096   ----a-r-   c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-16 04:33 . 2011-04-16 04:33   --------   d-----w-   c:\program files\Common Files\Java
2011-04-16 04:32 . 2011-02-03 04:40   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-04-16 04:03 . 2011-04-16 04:03   --------   d-----w-   c:\documents and settings\Admin\Application Data\Malwarebytes
2011-04-16 03:22 . 2011-04-16 03:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-16 03:22 . 2010-12-21 01:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-16 03:22 . 2011-04-16 03:22   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-04-16 03:22 . 2010-12-21 01:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-04-15 22:35 . 2011-04-15 22:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-15 22:35 . 2011-04-15 22:35   --------   d-----w-   c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2011-04-15 22:35 . 2011-04-15 22:35   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-04-13 05:33 . 2011-04-13 05:33   --------   d-----w-   c:\documents and settings\Matthew\Local Settings\Application Data\Mozilla
2011-04-13 03:06 . 2011-04-13 03:06   --------   d-----w-   c:\documents and settings\Kary\Application Data\Wacom
2011-04-13 03:06 . 2011-04-13 03:06   --------   d-----w-   c:\documents and settings\Kary\Application Data\WTablet
2011-04-12 23:00 . 2011-04-12 23:00   --------   d-----w-   c:\program files\GameSpy Arcade
2011-04-12 22:57 . 2011-04-12 22:57   --------   d-----w-   c:\program files\Irrational Games
2011-04-08 06:11 . 2010-12-02 09:12   837224   ----a-w-   c:\windows\system32\nvgenco32hda.dll
2011-04-06 10:43 . 2011-01-08 03:27   941160   ----a-w-   c:\windows\system32\nvdispco322090.dll
2011-04-06 10:43 . 2011-01-08 03:27   837736   ----a-w-   c:\windows\system32\nvgenco322040.dll
2011-04-06 09:43 . 2011-04-06 09:43   --------   d-----w-   c:\program files\Common Files\Creative
2011-04-06 09:42 . 2011-04-06 09:44   --------   d--h--w-   c:\program files\Creative Installation Information
2011-04-06 09:27 . 2011-04-06 09:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Creative
2011-04-06 09:24 . 2003-06-13 06:25   7062   ----a-w-   c:\windows\system32\audiopid.vxd
2011-04-06 09:24 . 2011-04-06 09:24   --------   d-----w-   c:\program files\Common Files\Creative Labs Shared
2011-04-06 09:23 . 2011-04-06 09:23   445016   ----a-w-   c:\windows\system32\wrap_oal.dll
2011-04-06 09:23 . 2004-07-13 01:53   585728   ----a-w-   c:\windows\system32\ctaudfx.dll
2011-04-06 09:23 . 2003-11-13 10:04   606208   ----a-w-   c:\windows\system32\ctsblfx.dll
2011-04-06 09:23 . 2003-11-13 10:02   114688   ----a-w-   c:\windows\system32\commonfx.dll
2011-04-06 09:14 . 2003-11-11 01:14   729088   ----a-w-   c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2011-04-06 09:14 . 2003-11-11 01:13   69715   ----a-w-   c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2011-04-06 09:14 . 2003-11-11 01:12   266240   ----a-w-   c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2011-04-06 09:14 . 2003-11-11 01:12   192512   ----a-w-   c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2011-04-06 09:14 . 2003-11-11 01:11   5632   ----a-w-   c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2011-04-06 09:14 . 2011-04-06 09:14   188548   ----a-w-   c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2011-04-06 09:14 . 2011-04-06 09:14   311428   ----a-w-   c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2011-04-06 09:12 . 2011-04-06 09:12   --------   d-----w-   c:\documents and settings\Matthew\Application Data\InstallShield Installation Information
2011-04-02 09:23 . 2011-04-02 09:23   --------   d-----w-   c:\documents and settings\Admin\Application Data\SystemRequirementsLab
2011-04-02 09:16 . 2011-04-02 09:16   --------   d-----w-   c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2011-04-02 01:54 . 2011-04-02 01:54   --------   d-----w-   c:\documents and settings\Admin\Application Data\NVIDIA
2011-04-02 01:31 . 2010-11-11 23:10   26216   ----a-w-   c:\windows\system32\nvhdap32.dll
2011-04-02 01:31 . 2010-11-11 23:10   100456   ----a-w-   c:\windows\system32\drivers\nvhda32.sys
2011-04-02 01:31 . 2010-06-21 22:07   232040   ----a-w-   c:\windows\system32\nvcohda.dll
2011-04-02 01:29 . 2011-04-08 06:11   252080   ----a-w-   c:\windows\system32\nvdrsdb0.bin
2011-04-02 01:29 . 2011-04-08 06:11   1   ----a-w-   c:\windows\system32\nvdrssel.bin
2011-04-02 01:29 . 2011-04-08 06:11   252080   ----a-w-   c:\windows\system32\nvdrsdb1.bin
2011-03-28 23:13 . 2011-03-28 23:17   --------   d-----w-   c:\program files\SIW
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 09:23 . 2009-05-21 01:18   109144   ----a-w-   c:\windows\system32\OpenAL32.dll
2011-03-07 05:33 . 2009-05-20 21:35   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00   434176   ----a-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00   1857920   ----a-w-   c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2004-08-04 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2004-08-04 12:00   1830912   ------w-   c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2004-08-04 12:00   17408   ------w-   c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2004-08-04 12:00   455936   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00   357888   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-05-22 22:18   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 12:00   389120   ----a-w-   c:\windows\system32\html.iec
2011-02-15 12:56 . 2004-08-04 12:00   290432   ----a-w-   c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 12:00   978944   ----a-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2011-02-03 02:19 . 2009-07-29 08:51   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2009-05-20 21:34   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-20 21:34   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-03-18 17:53 . 2011-04-02 09:16   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"BambooCore"="c:\program files\Bamboo Dock\BambooCore.exe" [2011-02-10 629336]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-3.2.2.10505-to-3.3.0.10958-enUS-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Fantasy Grounds II\\FantasyGrounds.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 MpKsl6736b89d;MpKsl6736b89d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6F145977-E696-4293-96C0-6811DFE2C4F7}\MpKsl6736b89d.sys [4/18/2011 11:25 PM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [3/8/2011 2:54 AM 401920]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2/14/2011 5:28 AM 21992]
R2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2/10/2011 4:04 PM 4869488]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2/10/2011 4:05 PM 416112]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [4/1/2011 6:31 PM 100456]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2/10/2011 4:04 PM 16240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/24/2011 11:29 PM 136176]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
S3 cpuz134;cpuz134;\??\c:\docume~1\Admin\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Admin\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/6/2011 2:24 AM 79360]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPFILTER
*NewlyCreated* - MPKSL6736B89D
*NewlyCreated* - MSMPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-25 01:49]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-25 01:49]
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1078145449-725345543-1004Core.job
- c:\documents and settings\Matthew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-22 14:55]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1078145449-725345543-1004UA.job
- c:\documents and settings\Matthew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-22 14:55]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1078145449-725345543-1005Core.job
- c:\documents and settings\Kary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-02 16:50]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1078145449-725345543-1005UA.job
- c:\documents and settings\Kary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-02 16:50]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1078145449-725345543-1006Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-22 09:31]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1078145449-725345543-1006UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-22 09:31]
.
2011-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
.
2011-04-19 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ee30ac2q.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Bamboo Dock - c:\program files\Bamboo Dock\Bamboo Dock\Bamboo Dock.exe
HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
HKLM-Run-CTXFIREG - CTxfiReg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-19 00:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-19 00:01:58
ComboFix-quarantined-files.txt 2011-04-19 07:01
.
Pre-Run: 173,723,787,264 bytes free
Post-Run: 180,481,212,416 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C63B4E7EF2A803AFE4D98748EB18C596

SuperDave · « **Reply #17 on:** April 19, 2011, 01:21:56 PM »

There are still traces of AVG on your computer. Please run this tool to get rid of them.
AVG Antivirus Remover utility

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

vandish · « **Reply #18 on:** April 19, 2011, 01:27:31 PM »

Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. First Warning!

darthgaul · « **Reply #19 on:** April 19, 2011, 02:44:12 PM »

Done. Here are the log results:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iastor.sys
Service Name: ---
Module Base: A8303000
Module End: A83D8000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\amd64\filterpipelineprintproc.dll
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\amd64\msxpsdrv.cat
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\amd64\msxpsdrv.inf
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\amd64\msxpsinc.gpd
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\amd64\msxpsinc.ppd
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\amd64\mxdwdrv.dll
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\amd64\xpssvcs.dll
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\i386\filterpipelineprintproc.dll
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\i386\msxpsdrv.cat
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\i386\msxpsdrv.inf
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\i386\msxpsinc.gpd
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\i386\msxpsinc.ppd
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\i386\mxdwdrv.dll
Status: Access denied

Object: C:\7ffce0c191e3d3b84c6f6e83dfd62392\i386\xpssvcs.dll
Status: Access denied

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #20 on:** April 19, 2011, 04:54:27 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

darthgaul · « **Reply #21 on:** April 20, 2011, 03:49:56 AM »

ESETScan results:
C:\Documents and Settings\All Users\Documents\RegistryEasy_Setup.exe   a variant of Win32/Adware.RegistryEasy application   deleted - quarantined
C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\40\59774da8-15854b67   a variant of Java/TrojanDownloader.OpenStream.NBE trojan   deleted - quarantined
C:\Documents and Settings\Matthew\My Documents\Downloads\RegistryEasy_Setup.exe   a variant of Win32/Adware.RegistryEasy application   deleted - quarantined
C:\Matt and Kary Stuff\stuff from desktop\Install_AIM.exe   Win32/Adware.WBug.A application   deleted - quarantined
C:\Program Files\Registry Easy\Recoveryer.dll   Win32/Adware.RegistryEasy application   cleaned by deleting - quarantined
C:\Program Files\Registry Easy\RegEasyCleaner.exe   a variant of Win32/Adware.RegistryEasy application   cleaned by deleting - quarantined
C:\Program Files\Registry Easy\RegEasyCleanerUpdate.exe   Win32/Adware.RegistryEasy application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{286756EB-FC84-45EF-9037-7FDF3017B2A8}\RP650\A0077336.exe   Win32/Toolbar.Zugo application   deleted - quarantined
C:\System Volume Information\_restore{286756EB-FC84-45EF-9037-7FDF3017B2A8}\RP650\A0077571.exe   Win32/Adware.WBug.A application   deleted - quarantined
C:\System Volume Information\_restore{286756EB-FC84-45EF-9037-7FDF3017B2A8}\RP650\A0077572.dll   Win32/Adware.RegistryEasy application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{286756EB-FC84-45EF-9037-7FDF3017B2A8}\RP650\A0077573.exe   a variant of Win32/Adware.RegistryEasy application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{286756EB-FC84-45EF-9037-7FDF3017B2A8}\RP650\A0077574.exe   Win32/Adware.RegistryEasy application   cleaned by deleting - quarantined

darthgaul · « **Reply #22 on:** April 20, 2011, 04:05:29 AM »

During the above scan my Microsoft Security Essentials antivirus found threats that it said should be removed. I clicked yes without thinking, I hope I didn't mess anything up. Here are the files it removed:

file:C:\Documents and Settings\Matthew\My Documents\Downloads\VeohWebPlayerSetup_eng.exe

containerfile:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\52\3a842eb4-3953dd83
file:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\52\3a842eb4-3953dd83->dogs/mian.class

containerfile:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\31\73769d5f-3bd4842a
file:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\31\73769d5f-3bd4842a->g6k1.class

containerfile:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\29\330b03dd-7c11d264
file:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\29\330b03dd-7c11d264->main.class

containerfile:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\29\199bb91d-7804f9d1
file:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\29\199bb91d-7804f9d1->DrSPoCCY8TxX5.class

containerfile:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\1\4303e9c1-5e59b17b
containerfile:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\51\2c063e33-6c89b9f7
file:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\1\4303e9c1-5e59b17b->y6u7.class
file:C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\6.0\51\2c063e33-6c89b9f7->y6u7.class

containerfile:C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\44\696d2fac-2c014b1d
file:C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\44\696d2fac-2c014b1d->C.class

containerfile:C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\44\690b50ac-7e24db75
file:C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\44\690b50ac-7e24db75->lorry/Cloners.class

SuperDave · « **Reply #23 on:** April 20, 2011, 04:16:46 PM »

As you can see from the ESET scan, most of the infections were from Registry Easy. I hope you have uninstalled it.
How is your computer working now?

darthgaul · « **Reply #24 on:** April 20, 2011, 06:28:59 PM »

I removed it now. and other programs I should remove or is that it?

My computer seems to be running fine. Thank you so much for taking the time to help.

SuperDave · « **Reply #25 on:** April 21, 2011, 12:52:33 PM »

Great! Let's do some cleanup

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

***************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
***************************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

Click the CleanUp button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
*******************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
******************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

darthgaul · « **Reply #26 on:** April 21, 2011, 01:10:44 PM »

It says "Windows cannot find Combofix/Uninstall" I double and triple checked that it was spelled correctly...

SuperDave · « **Reply #27 on:** April 21, 2011, 07:50:53 PM »

Download OTL to your desktop.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

Click the CleanUp button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
************************************************
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

darthgaul · « **Reply #28 on:** April 22, 2011, 02:37:27 AM »

First of all thanks again for all your help with this.

OTL got rid of Combo fix. Yay!

I was working my way through the other steps on the above posts and was on the: Use the Secunia Software Inspector/ update anything listed part. One of the things it listed was Acrobat reader. apperantly i had two older versions 6.0 and 7.0. I used add/ remove software to take them off but when i was installing the latest version i got a message saying :

Error 1402.could not open key:
HKEY_local_Machine\software\microsoft\windows\currentversion\Run\optionalcomponents\MSFS.
Verify that you have sufficient access to that key of contact support personel

What should I do?

SuperDave · « **Reply #29 on:** April 22, 2011, 10:33:23 AM »

Please try running as Administrator.

Computer Hope Forum

News:

Author Topic: Scan Results (Read 21716 times)

SuperDave

Re: Scan Results

darthgaul

Re: Scan Results

SuperDave

Re: Scan Results

vandish

Re: Scan Results

darthgaul

Re: Scan Results

SuperDave

Re: Scan Results

darthgaul

Re: Scan Results

darthgaul

Re: Scan Results

SuperDave

Re: Scan Results

darthgaul

Re: Scan Results

SuperDave

Re: Scan Results

darthgaul

Re: Scan Results

SuperDave

Re: Scan Results

darthgaul

Re: Scan Results

SuperDave

Re: Scan Results