Computer Hope
Software => Computer viruses and spyware => Topic started by: tryagain on July 16, 2009, 01:10:48 PM
-
I've read the info page and thus far have run Avast, which found three or four trojans. Before coming here I had already tried to run SUPERantispyware (already on my machine) and couldn't. I uninstalled but was unable to reinstall from the site. I was able to download from Cnet but I cannot install it. I have also run Windows Defender and the regular version of Ccleaner which I already had on. I wanted to double check if I need to specifically download the CC slim version, if I am able to download. At the moment I cannot access most antispyware related sites.
I am pretty sure I'm dealing with ad.doubleclick.net issues as ads on websites are being switched to the inappropriate kinds and my dh had vulgar pop ups to deal with. Never had the latter kinds of problems before. Comp is running slow and sometimes freezing up.
Since I cannot download SAS, do I just continue down the list and see what I am able to do?
TIA for your help!
-
Just make note of what happens and continue on with the next step....
-
I've completed steps 1 and 2.
Couldn't complete 3 or 4. I was able to download from alternative download sites but they wouldn't install - got Microsoft message "SUPERantispyware has encountered a problem and needs to close" and the same for Malwarebytes.
I completed step 5, although I forgot to close my browser. Am I okay or should I reinstall?
That brings me to step 6, Hijack This. The directions say to run this after the other steps have been completed. Since they can't be completed, should I just go ahead and run Hijack This and post the log?
-
Mbam renamer
Try the renamer download for Malwarbytes.
http://kixhelp.com/wr/files/mb/randmbam.exe
The randmbam.exe will try to create random names and shortcuts for Malwarebytes Anti Malware (MBAM) if you have it installed already.
If it installs then use this link to download the updates.
Download Malwarebytes' Anti-Malware Database - GT500.org
Just download it to the desktop and run the exe then run Malwarebytes
-
You can try download SAS in safe mode or try renaming the file to sniper.exe and see if you can run it that way........if you can't then just go on to HJT and see if you can run it.............
-
Ok, I was able to get SAS and Malwarebytes logs. Had to get a go-around download and run from SAS support. It made it through but froze as I clicked to quarantine. The renamer worked for Malwarebytes and I was able to complete the scan. Followed the directions for HijackThis. It took several tries because it either froze or the comp restarted, but I got the log. I'll post all three below.
Although some trojans have been detected and quarantined, the comp is still running slow or freezing, and I am still dealing with inappropriate pop ups and switched ads on websites. Two other things I forgot to mention: my Seagate external hard drive has stopped functioning in all this, with a message that it cannot find any drives; and neither the disk fragmentor or the chkdsk is operational.
Thanks so much for the help thus far. Hope you can help me figure the rest out.
SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/17/2009 at 11:22 PM
Application Version : 4.26.1006
Core Rules Database Version : 3966
Trace Rules Database Version: 1906
Scan type : Complete Scan
Total Scan Time : 01:02:22
Memory items scanned : 619
Memory threats detected : 0
Registry items scanned : 6439
Registry threats detected : 4
File items scanned : 33962
File threats detected : 3
Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare
Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0A9A4FEC-465F-4421-8F47-4242C1C17886}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0A9A4FEC-465F-4421-8F47-4242C1C17886}#NAMESERVER
Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@yellowlinebanner[1].txt
MALWAREBYTES:
Malwarebytes' Anti-Malware 1.39
Database version: 2454
Windows 5.1.2600 Service Pack 2
7/18/2009 12:51:06 AM
mbam-log-2009-07-18 (00-51-06).txt
Scan type: Quick Scan
Objects scanned: 155866
Time elapsed: 6 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1720a2b8-5386-4d8a-8527-260871b6c7b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1720a2b8-5386-4d8a-8527-260871b6c7b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niguwufosa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HIJACKTHIS:
Logfile of Trend Micro HijackThis
v2.0.2
Scan saved at 1:50:02 AM, on
7/18/2009
Platform: Windows XP SP2 (WinNT
5.01.2600)
MSIE: Internet Explorer v7.00
(7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows
Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil
Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program
Files\ContentWatch\Internet
Protection\cwsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program
Files\CyberLink\PowerDVD\PDVDSe
rv.exe
C:\Program Files\Digital Media
Reader\shwiconem.exe
C:\Program Files\Common
Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Program Files\Windows
Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\as
hDisp.exe
C:\Documents and Settings\All
Users\common\dll\netdr\msdtc.exe
C:\Program
Files\MEDIC\bin\sprtcmd.exe
C:\WINDOWS\system32\WTClient.ex
e
C:\WINDOWS\system32\rundll32.exe
C:\Program
Files\Seagate\Basics\Basics
Status\MaxMenuMgrBasics.exe
C:\Program
Files\ScanSoft\OmniPageSE4\Opwar
eSE4.exe
C:\Program
Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\a-squared
Free\a2service.exe
C:\Program
Files\QuickTime\QTTask.exe
C:\Program
Files\iTunes\iTunesHelper.exe
C:\Program
Files\ContentWatch\Internet
Protection\cwtray.exe
C:\Program
Files\Java\jre6\bin\jusched.exe
C:\Program
Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware
Terminator\SpywareTerminatorUpdat
e.exe
C:\Program Files\Common
Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceServi
ce.exe
C:\Program
Files\Seagate\Basics\Service\SyncS
ervicesBasics.exe
C:\Program
Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New
Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware
Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.
exe
C:\WINDOWS\System32\Drivers\WT
SRV.EXE
C:\Program
Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program
Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WISPTIS.EX
E
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend
Micro\HijackThis\sniper.exe
R1 -
HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/custo
mize/ycomp_wave/defaults/sb/*http://
www.yahoo.com/search/ie.html
R1 -
HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/custo
mize/ycomp_wave/defaults/sp/*http://
www.yahoo.com
R0 -
HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.crosswalk.com/homeschoo
l
R1 -
HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=
69157
R1 -
HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=
54896
R1 -
HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=
54896
R0 -
HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=
69157
R1 -
HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Road
Runner High Speed Online
R1 -
HKCU\Software\Microsoft\Windows\C
urrentVersion\Internet
Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub -
{18DF081C-E8AD-4283-A596-FA57
8C2EBDC3} - C:\Program
Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEH
elperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV
Helper -
{DBC80044-A445-435b-BC74-9C25
C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-EAB
FE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_pl
ugin.dll
O2 - BHO: (no name) -
{FDD3B846-8D59-4ffb-8758-209B6
AD74ACC} - (no file)
O4 - HKLM\..\Run: [SoundMan]
SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon]
RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,Nv
Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe
/install
O4 - HKLM\..\Run: [NvMediaCenter]
RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll
,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray
Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey]
zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd]
ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl]
"C:\Program
Files\CyberLink\PowerDVD\PDVDSe
rv.exe"
O4 - HKLM\..\Run: [SunKistEM]
C:\Program Files\Digital Media
Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works
Update Detection] C:\Program
Files\Common Files\Microsoft
Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows
Defender] "C:\Program
Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!]
C:\PROGRA~1\ALWILS~1\Avast4\as
hDisp.exe
O4 - HKLM\..\Run: [QuickTime]
C:\Documents and Settings\All
Users\common\dll\netdr\msdtc.exe
O4 - HKLM\..\Run: [MEDIC]
"C:\Program
Files\MEDIC\bin\sprtcmd.exe" /P
MEDIC
O4 - HKLM\..\Run: [WTClient]
WTClient.exe
O4 - HKLM\..\Run: [basicsmssmenu]
"C:\Program
Files\Seagate\Basics\Basics
Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate]
"C:\Program Files\Common
Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupda
te.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4]
"C:\Program
Files\ScanSoft\OmniPageSE4\Opwar
eSE4.exe"
O4 - HKLM\..\Run:
[CanonSolutionMenu] C:\Program
Files\Canon\SolutionMenu\CNSLMAI
N.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter]
C:\Program
Files\Canon\MyPrinter\BJMyPrt.exe
/logon
O4 - HKLM\..\Run: [Adobe Reader
Speed Launcher] "C:\Program
Files\Adobe\Reader
9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task]
"C:\Program
Files\QuickTime\QTTask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper]
"C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cwcptray]
C:\Program
Files\ContentWatch\Internet
Protection\cwtray.exe
O4 - HKLM\..\Run:
[SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS]
"C:\Program
Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [MoneyAgent]
"C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run:
[SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAnt
iSpyware.exe
O4 - HKCU\..\Run:
[SpywareTerminatorUpdate]
"C:\Program Files\Spyware
Terminator\SpywareTerminatorUpdat
e.exe"
O4 - HKUS\S-1-5-19\..\Run:
[niguwufosa] Rundll32.exe
"C:\WINDOWS\system32\zodavula.dll
",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run:
[niguwufosa] Rundll32.exe
"C:\WINDOWS\system32\zodavula.dll
",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run:
[DWQueuedReporting]
"c:\PROGRA~1\COMMON~1\MICRO
S~1\DW\dwtrig20.exe" -t (User
'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce:
[RunNarrator] Narrator.exe (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run:
[DWQueuedReporting]
"c:\PROGRA~1\COMMON~1\MICRO
S~1\DW\dwtrig20.exe" -t (User
'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce:
[RunNarrator] Narrator.exe (User
'Default user')
O8 - Extra context menu item: &AOL
Toolbar search - res://C:\Program
Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-0040
1C608501} - C:\Program
Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' menuitem: Sun Java
Console -
{08B0E5C0-4FCB-11CF-AAA5-0040
1C608501} - C:\Program
Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C
571A8263} -
C:\PROGRA~1\MICROS~3\Office12\
REFIEBAR.DLL
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0
F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba384
96583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:
@xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba384
96583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04
F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows
Messenger -
{FB5F1910-F110-11d2-BB9E-00C04
F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP:
c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system32\cwalsp.dll
O16 - DPF:
{01113300-3E00-11D2-8470-006008
9874ED} (Support.com Configuration
Class) -
http://activation.rr.com/install/downloa
ds/tgctlcm.cab
O16 - DPF:
{17492023-C23A-453E-A040-C7C5
80BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=
39204
O20 - AppInit_DLLs:
C:\WINDOWS\system32\wugakuwa.dl
l
O20 - Winlogon Notify:
!SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINL
O.dll
O23 - Service: a-squared Free
Service (a2free) - Emsi Software
GmbH - C:\Program Files\a-squared
Free\a2service.exe
O23 - Service: Apple Mobile Device -
Apple Inc. - C:\Program
Files\Common Files\Apple\Mobile
Device
Support\bin\AppleMobileDeviceServi
ce.exe
O23 - Service: avast! iAVS4 Control
Service (aswUpdSv) - ALWIL
Software - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus -
ALWIL Software - C:\Program
Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner -
ALWIL Software - C:\Program
Files\Alwil
Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner -
ALWIL Software - C:\Program
Files\Alwil
Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service -
Seagate Technology LLC -
C:\Program
Files\Seagate\Basics\Service\SyncS
ervicesBasics.exe
O23 - Service: Bonjour Service -
Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera
Access Library 8 (CCALib8) - Canon
Inc. - C:\Program
Files\Canon\CAL\CALMAIN.exe
O23 - Service: ContentWatch
(CwAltaService20) - ContentWatch,
Inc. - C:\Program
Files\ContentWatch\Internet
Protection\cwsvc.exe
O23 - Service: InstallDriver Table
Manager (IDriverT) - Macrovision
Corporation - C:\Program
Files\Common
Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple
Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter
(JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program
Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver
Service (NVSvc) - NVIDIA
Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New
Boundary Technologies, Inc. -
C:\Program Files\Common Files\New
Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator
Realtime Shield Service (sp_rssrv) -
Crawler.com - C:\Program
Files\Spyware
Terminator\sp_rsser.exe
O23 - Service: SecuROM User
Access Service (V7) (UserAccess7) -
Unknown owner -
C:\WINDOWS\system32\UAService7.
exe
O23 - Service: WinTab Service
(WinTabService) - Tablet Driver -
C:\WINDOWS\System32\Drivers\WT
SRV.EXE
--
End of file - 11037 bytes
-
I forgot to mention that I was unable to update SAS or Malwarebytes. I was able to access updates for HijackThis.
-
Good job getting the required logs......Evilfantasy will be along to review them....be patient....it's a summer weekend.
-
you need to go to seagate ( seagate for windows ) sort out your machine download and let it scan the pc
http://www.seagate.com/www/en-us/support/downloads/seatools
go to below and download smart defrag
http://www.iobit.com/
-
Download The Comedian (http://rorschach112.geekstogo.com/The_Comedian.exe) to your desktop.
* Double click the program to run it.
* It will do a series of tasks and tell you when each one is finished.
* You will be prompted to press any key after each step
* When it is done it will close and exit itself automatically.
* You can delete The_Comedian.exe once it is finished.
.
----------
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Thanks for getting back to me! :)
I downloaded and ran The Comedian but on Step 4 it said it could not create a restore point. Should I still proceed to Combofix? Also, I wasn't sure when it asked about creating registry back ups kept for 30 days; I checked ok.
-
Yes just continue on please.
-
Here's the ComboFix log. Couldn't run it as ComboFix so I tried the renaming to Combo-Fix and that worked.
ComboFix 09-07-23.04 - Owner 07/24/2009 17:21.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.43 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090723-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2212892535-3016890555-2903492491-1003
c:\windows\desktop
c:\windows\desktop\EA Hot Titles!.exe
c:\windows\Installer\132159e.msp
c:\windows\Installer\acbac.msi
c:\windows\system32\drivers\ESQULxuwyltfqxuuwpdqbpnobodpqqtjkbmup.sys
c:\windows\system32\ESQULabwwxiqpeltobirvvjmldunqkeqbrgai.dll
c:\windows\system32\ESQULrbhtkbljbmtclcvtqjoetiwlrtsrtena.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\MabryObj.dll
c:\windows\system32\skinboxer43.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ESQULserv.sys
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.
2009-07-24 18:56 . 2009-07-24 18:57 -------- d-----w- c:\program files\ERUNT
2009-07-22 01:15 . 2009-07-22 01:15 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2009-07-22 01:15 . 2009-07-22 01:15 -------- d-----w- c:\program files\IObit
2009-07-18 05:06 . 2009-07-18 05:06 -------- d-----w- c:\program files\Trend Micro
2009-07-18 04:38 . 2009-07-18 04:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-18 02:13 . 2009-07-18 02:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-18 00:55 . 2009-07-18 00:55 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-18 00:54 . 2009-07-24 20:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Spyware Terminator
2009-07-18 00:54 . 2009-07-24 18:46 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2009-07-18 00:54 . 2009-07-18 00:59 -------- d-----w- c:\program files\Spyware Terminator
2009-07-17 21:31 . 2009-07-17 21:32 -------- d-----w- c:\program files\a-squared Free
2009-07-17 13:17 . 2009-07-17 13:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 13:12 . 2009-07-17 13:12 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 12:59 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 12:59 . 2009-07-17 12:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 12:59 . 2009-07-18 04:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 12:59 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 03:02 . 2009-07-11 03:02 -------- d-----w- c:\documents and settings\Owner\ContentWatch
2009-07-07 01:49 . 2009-07-07 01:49 7639 ----a-w- c:\windows\extend.dat
2009-07-05 20:43 . 2004-08-04 02:58 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-07-05 20:43 . 2004-08-04 02:58 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 19:45 . 2007-01-30 15:13 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-23 15:57 . 2005-01-08 20:34 39514 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-07-22 00:36 . 2008-05-28 11:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-17 13:39 . 2004-10-01 15:45 -------- d-----w- c:\program files\Java
2009-07-16 11:31 . 2004-10-01 16:04 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-07-10 21:36 . 2009-07-10 21:34 -------- d-----w- c:\program files\ContentWatch
2009-07-10 21:20 . 2007-12-04 14:25 -------- d-----w- c:\program files\Internet Content Filter
2009-07-10 19:33 . 2008-07-02 18:30 34 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-07-07 23:04 . 2008-10-14 21:54 139776 ----a-w- c:\documents and settings\Gabe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 01:46 . 2008-10-15 12:33 139776 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 00:29 . 2007-10-22 23:51 139776 ----a-w- c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 00:03 . 2007-10-12 03:10 139776 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 18:54 . 2009-06-11 22:09 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-06-26 00:28 . 2005-01-08 20:34 139776 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 19:13 . 2004-10-01 15:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-25 15:46 . 2007-10-30 16:34 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-06-19 02:18 . 2009-06-25 16:09 16980 ----a-w- c:\windows\Fonts\electroh.ttf
2009-06-16 14:55 . 2004-01-02 08:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-01-02 08:03 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 22:10 . 2009-01-05 22:52 -------- d-----w- c:\program files\Graboid
2009-06-11 22:03 . 2009-06-11 22:03 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-11 03:49 . 2009-06-11 03:49 -------- d-----w- c:\program files\iTunes
2009-06-11 03:49 . 2009-06-11 03:49 -------- d-----w- c:\program files\iPod
2009-06-11 03:49 . 2009-01-16 06:52 -------- d-----w- c:\program files\Common Files\Apple
2009-06-11 03:46 . 2009-06-11 03:45 -------- d-----w- c:\program files\QuickTime
2009-06-11 03:40 . 2009-01-16 06:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-06-08 15:32 . 2009-07-10 21:34 247616 ----a-w- c:\windows\system32\wxIE.dll
2009-06-08 15:32 . 2009-07-10 21:34 1859584 ----a-w- c:\windows\system32\AltaRecovery.exe
2009-06-08 15:12 . 2009-07-10 21:34 666624 ----a-w- c:\windows\system32\cwalsp.dll
2009-06-08 14:52 . 2009-07-10 21:34 81920 ----a-w- c:\windows\system32\wxcode_msw28u_wxjson_CW.dll
2009-06-08 14:52 . 2009-07-10 21:34 991232 ----a-w- c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll
2009-06-08 14:50 . 2009-07-10 21:34 975872 ----a-w- c:\windows\system32\libxml2_CW.dll
2009-06-08 14:46 . 2009-05-19 17:13 151552 ----a-w- c:\windows\system32\libexpat.dll
2009-06-08 14:27 . 2009-07-10 21:34 524288 ----a-w- c:\windows\system32\wxmsw28u_xrc_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34 499712 ----a-w- c:\windows\system32\wxmsw28u_html_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34 2904064 ----a-w- c:\windows\system32\wxmsw28u_core_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34 110592 ----a-w- c:\windows\system32\wxmsw28u_media_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34 712704 ----a-w- c:\windows\system32\wxmsw28u_adv_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34 135168 ----a-w- c:\windows\system32\wxbase28u_xml_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34 135168 ----a-w- c:\windows\system32\wxbase28u_net_vc_CW.dll
2009-06-08 14:27 . 2009-07-10 21:34 1232896 ----a-w- c:\windows\system32\wxbase28u_vc_CW.dll
2009-06-05 15:42 . 2009-03-20 01:48 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-01-16 06:52 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:27 . 2004-01-02 08:06 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-27 21:43 . 2009-05-27 21:43 -------- d-----w- c:\program files\Unity
2009-05-07 15:44 . 2004-01-02 08:04 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-01-02 08:06 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-01-02 08:03 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-24 18:46 . 2009-03-09 18:10 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-24 18:44 . 2009-01-24 18:44 8 --sh--r- c:\windows\system32\B3590867F3.sys
2009-04-12 16:20 . 2009-01-12 16:20 5696 --sha-w- c:\windows\system32\bahegope.exe
2009-01-25 04:14 . 2009-01-24 18:44 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-04-11 22:08 . 2009-01-11 22:08 5696 --sha-w- c:\windows\system32\yewukulu.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 200704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-07-18 3055616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-04 2904064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-03-04 46080]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime"="c:\documents and settings\All Users\common\dll\netdr\msdtc.exe" [2007-12-27 466944]
"MEDIC"="c:\program files\MEDIC\bin\sprtcmd.exe" [2006-12-27 192512]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2009-06-08 351040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-08-15 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-03-04 782336]
"nForce Tray Options"="sstray.exe" - c:\windows\system32\sstray.exe [2003-09-03 73728]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Motocross Madness 2\\MCM2.ICD"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\k9-webprotection.exe"=
"c:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/4/2008 6:13 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [7/17/2009 8:55 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2008 6:13 AM 20560]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [7/10/2009 5:34 PM 2072384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [3/7/2008 1:53 PM 20608]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/5/2009 4:42 PM 107904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.crosswalk.com/homeschool
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
LSP: c:\windows\system32\cwalsp.dll
Trusted Zone: christianbook.com <https\drm
Trusted Zone: christianbook.com https\dlm
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\ne8x1sqs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.conservapedia.com/Main_Page
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ne8x1sqs.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ne8x1sqs.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 17:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\_av_proI.tm~a03680\stamp.tmp 10 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3388798203-652253650-2994196867-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3388798203-652253650-2994196867-1003\Software\YourCompanyName\YourProductName\Version*]
"VersionData"=hex:0d,3b,25,66,19,03,6e,fd,4f,a8,a2,fa,9d,e1,52,c2,8a,f9,01,99,
85,ff,f4,59,07,45,91,f9,29,b3,aa,34,31,2b,f2,f4,e1,09,ad,08,4c,48,f7,d3,42,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll
- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\nview.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\drivers\WTSrv.exe
c:\windows\system32\WISPTIS.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-24 18:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-24 22:04
Pre-Run: 75,996,536,832 bytes free
Post-Run: 76,592,431,104 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
279 --- E O F --- 2009-07-23 15:28
-
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the Desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the Desktop.
----------
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combo-fix /u in the runbox
* Make sure there's a space between Combo-fix and /u
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
----------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------
Use the ESET Online Antivirus Scanner (http://www.eset.com/onlinescan/index.php)
This scanner requires Internet Explorer
1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.
-
I think I uninstalled Windows Messenger. I followed the directions and chose the appropriate box. On the desktop I found only the icon for the zip file, so I deleted that. I had the save file box pop up several more times. Not sure why. I just clicked them off and restarted the comp. The Windows Messenger icon is gone and a search for it yielded nothing, so here's hoping.
I haven't been able to uninstall Combo-fix. When I try to run Combo-fix /u, I get a message that the file can't be found. When I try to uninstall Combofix /u, I get the prompt to run combofix.exe. I did check C: for Combofix and Combo-fix files and folders and they are still there. I'm checking back to see how to proceed.
-
Delete any Combo-Fix or ComboFix files you find and also delete the C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt
Then continue on with the next steps.
-
Ran TFC and the ESET scanner. ESET found three more infections. Posting the ESET log below.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=0bf9387da20b284496ac34b981e6da16
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-07-25 06:35:47
# local_time=2009-07-25 02:35:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 21 100 100 158980781250
# compatibility_mode=5889 61 66 100 729829571093750
# compatibility_mode=7937 61 100 100 6684428750000
# scanned=165903
# found=3
# cleaned=3
# scan_time=14799
C:\Documents and Settings\Owner\My Documents\Nero-8.3.6.0_eng_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) AB3BAA644A1D8BF50C03C57DE968AE3C C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULabwwxiqpeltobirvvjmldunqkeqbrgai.dll.vir Win32/Olmarik.JI trojan (cleaned by deleting - quarantined) DB4997444D76434E325050C090B2EFD0 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULrbhtkbljbmtclcvtqjoetiwlrtsrtena.dll.vir Win32/Olmarik.JL trojan (cleaned by deleting - quarantined) 97657EBC7F44A16829661BDB71E6B802 C
-
Those are actually not a real threat.
How is the computer running now?
-
Running better now; not freezing and no pop ups or switched ads. Still sluggish when bringing up or minimizing a screen, switching from internet to email or vice versa.
My desktop icons grew considerably, before and after I came to Computer Hope, as I tried to get free from malware. Prior to this infection I was running avast, SUPERantispyware, and Windows Defender. When SAS wouldn't run, I downloaded Malwarebytes. When that wouldn't run, I downloaded Spyware Terminator and a-squared. They ran but didn't solve the problem. Then I got help in getting SAS and Malwarebytes to run. So currently I have all of the above (and their get-arounds) plus HiJackThis, Erunt, and NTREGOPT. Should I just go back to avast, SAS, Malwarebytes and Windows Defender and uninstall the rest? Also, is Windows Firewall enough protection or should I look at one of your recommendations?
I still need to follow the directions for getting my external hard drive up and running again, but I figured I'd wait until the computer gets the all-clear. I have one more question for you. It is possible that I copied some text files to my flash drive at the start of all this (can't remember whether or not it was before the infection). To be safe, I'm thinking I should do a scan and check for infection. Are there any special instructions for this so as not to reinfect this machine or infect another, should the flash have malware?
Thanks again for all your help and insight!
-
Should I just go back to avast, SAS, Malwarebytes and Windows Defender and uninstall the rest?
Yes!
Also, is Windows Firewall enough protection or should I look at one of your recommendations?
No.
Remember only install ONE firewall
Online Armor (http://www.tallemu.com/online_armor_free.html)
Sunbelt/Kerio (http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/)
Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
Are there any special instructions for this so as not to reinfect this machine or infect another, should the flash have malware?
Just have your antivirus scan it.
You can also use this.
Panda USB and AutoRun Vaccine
Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.
Download Panda USB and AutoRun Vaccine (http://research.pandasecurity.com/archive/Panda-USB-Vaccine-with-NTFS-Support.aspx) and save it to your desktop. - Alternate download link (http://majorgeeks.com/Panda_USB_and_AutoRun_Vaccine_d6029.html)
* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.
Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog (http://research.pandasecurity.com/archive/Panda-USB-and-AutoRun-Vaccine.aspx) advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
----------
Final suggestions.
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html). Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
-
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html). Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Why would one need to run SAS, Spybot, and Malwarebytes?
Does each do something the other doesn't?
Also, how does Avast compare to Panda? Are updates to the virus DB as often?
-
Protect yourself against spyware using the Immunize feature in Spybot
The Immunize feature places restrictions in your HOSTS file to block malicious content on websites.
SAS and Malwarebytes?
It's best to use at least two on-demand scanners. They will have different definitions and therefore you stand a better chance of catching something with one that the other missed.
Also, how does Avast compare to Panda? Are updates to the virus DB as often?
The only real difference is that Panda is not free so it includes live support. The free version of Avast updates multiple times a day sometimes, or whenever they release them.
They're both good.
-
Why would one need to run SAS, Spybot, and Malwarebytes?
Does each do something the other doesn't?
Also, how does Avast compare to Panda? Are updates to the virus DB as often?
Sweet! Just the answer I was hoping for :)