Computer Hope
Software => Computer viruses and spyware => Topic started by: distrutled on December 28, 2010, 04:22:14 AM
-
A few weeks ago my firewall program, comodo, warned me about a file called explorer.exe. I searched the net for some clarity, but found none. I was going to post my logs here but I didn't really see any need as there wasn't any real threats showing up. Now I'm having second thoughts and decided to post new logs to see if ever looks okay.
The other thing is in the Comodo event viewer I keep seeing McAfee Security Scans being blocked multiple times. I didn't intentionally download McAfee, I think it was added on in a Java update or something. I have tried to uninstall it, but I can't get it to go away.
Any help on either of these matters would be appreciated, here are my logs.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/28/2010 at 04:03 AM
Application Version : 4.47.1000
Core Rules Database Version : 6081
Trace Rules Database Version: 3893
Scan type : Complete Scan
Total Scan Time : 00:27:46
Memory items scanned : 598
Memory threats detected : 0
Registry items scanned : 5333
Registry threats detected : 0
File items scanned : 42192
File threats detected : 0
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5406
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
12/28/2010 4:29:48 AM
mbam-log-2010-12-28 (04-29-48).txt
Scan type: Quick scan
Objects scanned: 139868
Time elapsed: 3 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:07 AM, on 12/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\AMT\LMS.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Squeezebox\SqueezeTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [mnumsg.exe] C:\Program Files\MyShoppingGenie\mnumsg.exe
O4 - HKCU\..\Run: [Auto EPSON WorkForce 610 Series on KRISTI-MCCOY] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFJA.EXE /FU "C:\WINDOWS\TEMP\E_SCF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WorkForce 610(Network) (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFJA.EXE /FU "C:\WINDOWS\TEMP\E_SB1.tmp" /EF "HKCU"
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O4 - Global Startup: Squeezebox Server Tray Tool.lnk = C:\Program Files\Squeezebox\SqueezeTray.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259633329522
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08254751-F0E0-4DC7-9FCA-06A52E8C9869}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3A5C69-763A-45FF-A999-71154F23952B}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{08254751-F0E0-4DC7-9FCA-06A52E8C9869}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{08254751-F0E0-4DC7-9FCA-06A52E8C9869}: NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
--
End of file - 9301 bytes
-
you should only have one av in your pc go to below and remove two
http://www.computerhope.com/forum/index.php?topic=59979.0
-
Thank you. I used your link to successfully kill of the McAfee Security program which has been bothering me for a long time. I didn't kill off AVG or Comodo, because I use AVG for antivirus, and Comodo for my firewall only. I guess I will look into using an all in one antivirus with a firewall included, but that is another topic.
Did you see anything in my logs other than the Antivirus conflict that I should be a worried about?
-
sorry , i cannot help you i'm not a malware expert , harry :(
-
Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
***************************************************
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
**********************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
sorry , i cannot help you i'm not a malware expert , harry :(
Probably a good sign that you're in the wrong section.
-
Probably a good sign that you're in the wrong section.
i don't think so , i helped the poster as far as i could and then i knew to leave the rest to the experts as i always do , i don't think i have done anything wrong
-
Thanks SuperDave,
I downloaded the" disable / remove windows messenger" link to my desktop, opened the file, checked the bottom box and hit apply. I received a message that it was disabled, but I also got an Advanced INF Install Failure error. Reason: The I/O operation has been aborted because of a thread exit or an application request.
There wasn't 2 files on my desktop, only the original Messenger disable.zip
-
No Biggie. Please continue with the rest of the instructions.
-
Here is my security check log:
Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG 2011
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 23
Adobe Flash Player 10.1.102.64
Adobe Reader 9.4.1
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
``````````End of Log````````````
I saved combofix and saved it to my desktop as commie.exe. Then I pasted "%userprofile%\desktop\commy.exe"/stepdel in the start/run box. It won't do anything. I get a message that reads:
"Windows cannont find 'C:\Documents and Settings\Mike\desktop\commie.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click search"
-
Okay, now I hit start/run/browse "C:\Documents and Settings\Mike\Desktop\commie.exe"
Combo fix started, however even with AVG disabled, it gave me an error message saying ComboFix cannot run when AVG is installed. Do I have to uninstall AVG?
-
I uninstalled AVG and was able to get combofix to run. Here is the log it created.
ComboFix 10-12-30.01 - Mike 12/30/2010 19:35:40.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.613 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\Commie.exe
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-1396\perl510.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-1396\perl510.dll
.
---- Previous Run -------
.
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-3456\perl510.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-3456\perl510.dll
c:\windows\system32\Oeminfo.ini
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav
.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))
.
2010-12-31 01:21 . 2010-12-31 01:21 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Help
2010-12-30 04:07 . 2010-12-30 19:56 -------- d-----w- c:\documents and settings\Aidan
2010-12-29 02:24 . 2010-12-29 02:24 -------- d-----w- c:\program files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09 . 2010-07-24 06:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-07-24 06:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-25 16:07 . 2010-06-02 00:00 285480 ----a-w- c:\windows\system32\guard32.dll
2010-11-25 16:07 . 2010-06-02 00:00 91560 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-11-25 16:07 . 2010-06-02 00:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-11-25 16:07 . 2010-06-04 16:55 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-11-25 16:07 . 2010-06-02 00:00 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-11-18 18:12 . 2009-09-21 20:41 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 00:53 . 2010-07-25 16:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34 . 2010-07-25 16:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-05 05:05 . 2009-09-21 20:29 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2009-09-21 20:29 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2009-09-21 20:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2009-09-21 20:29 369664 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-09-21 20:29 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-09-21 20:29 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-09-21 20:29 1853312 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mnumsg.exe"="c:\program files\MyShoppingGenie\mnumsg.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\commie\CF29736.cfxxe" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-29 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-29 81920]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-11-25 2500552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
c:\documents and settings\Mike\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2004-10-15 65588]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]
Squeezebox Server Tray Tool.lnk - c:\program files\Squeezebox\SqueezeTray.exe [2010-10-20 2351191]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:Squeezebox Server 9000 tcp (UI)
"9001:TCP"= 9001:TCP:Squeezebox Server 9001 tcp (UI)
"9002:TCP"= 9002:TCP:Squeezebox Server 9002 tcp (UI)
"9003:TCP"= 9003:TCP:Squeezebox Server 9003 tcp (UI)
"9004:TCP"= 9004:TCP:Squeezebox Server 9004 tcp (UI)
"9005:TCP"= 9005:TCP:Squeezebox Server 9005 tcp (UI)
"9006:TCP"= 9006:TCP:Squeezebox Server 9006 tcp (UI)
"9007:TCP"= 9007:TCP:Squeezebox Server 9007 tcp (UI)
"9008:TCP"= 9008:TCP:Squeezebox Server 9008 tcp (UI)
"9009:TCP"= 9009:TCP:Squeezebox Server 9009 tcp (UI)
"9010:TCP"= 9010:TCP:Squeezebox Server 9010 tcp (UI)
"9100:TCP"= 9100:TCP:Squeezebox Server 9100 tcp (UI)
"8000:TCP"= 8000:TCP:Squeezebox Server 8000 tcp (UI)
"10000:TCP"= 10000:TCP:Squeezebox Server 10000 tcp (UI)
"9090:TCP"= 9090:TCP:Squeezebox Server 9090 tcp (UI)
"3483:UDP"= 3483:UDP:Squeezebox Server 3483 udp
"3483:TCP"= 3483:TCP:Squeezebox Server 3483 tcp
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 10:55 AM 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 6:00 PM 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 3:13 PM 38144]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 5:02 PM 287232]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
uInternet Settings,ProxyOverride = <local>
TCP: {08254751-F0E0-4DC7-9FCA-06A52E8C9869} = 156.154.70.22,156.154.71.22
TCP: {DE3A5C69-763A-45FF-A999-71154F23952B} = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\uk3k73oz.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 19:45
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\guard32.dll
- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\guard32.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-12-30 19:49:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-31 01:49
Pre-Run: 69,882,626,048 bytes free
Post-Run: 69,865,566,208 bytes free
- - End Of File - - 25174AF70F7D06D304BAB192FE854A89
-
Yes. ComboFix doesn't get along with AVG. You should download and install a new AV ASAP.
You were having trouble with ComboFix because you spelled it commie instead of commy.
Looking over your log it seems you don't have any antivirus software.
Before we continue download and install a free antivirus.
Remember to only install one antivirus!
1) Avast! Home Edition (http://www.majorgeeks.com/Avast_Home_Edition_d1968.html)
2) AVG Free Edition (http://www.majorgeeks.com/download.php?det=886)
3) Avira AntiVir Personal (http://www.majorgeeks.com/AntiVir_Personal_Edition_7_d955.html)
4) Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
4-a) Microsoft Security Essentials for Windows XP (http://www.microsoft.com/security_essentials/)
5) Comodo Antivirus (http://www.majorgeeks.com/Comodo_AntiVirus_d5109.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition (http://www.majorgeeks.com/PC_Tools_AntiVirus_Free_Edition_d5469.html)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
***************************************************
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The
log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].
-
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AA2CA000
Module End: AA2E2000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A3A000
Module End: F7A3C000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: AA51480A
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwConnectPort
Address: AA513D8A
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwCreateFile
Address: AA514470
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwCreateKey
Address: AA51507E
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwCreatePort
Address: AA513C66
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwCreateSection
Address: AA51713C
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwCreateSymbolicLinkObject
Address: AA5174C2
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwCreateThread
Address: AA513652
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwDeleteKey
Address: AA5149F6
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwDeleteValueKey
Address: AA514BF6
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwDuplicateObject
Address: AA513458
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwEnumerateKey
Address: AA5157BC
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwEnumerateValueKey
Address: AA515A12
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwLoadDriver
Address: AA516B4C
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwMakeTemporaryObject
Address: AA514052
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwOpenFile
Address: AA51464C
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwOpenKey
Address: AA51506E
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwOpenProcess
Address: AA513086
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwOpenSection
Address: AA5142F6
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwOpenThread
Address: AA51328A
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwQueryKey
Address: AA515C20
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwQueryMultipleValueKey
Address: AA516074
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwQueryValueKey
Address: AA515E32
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwRenameKey
Address: AA5155D4
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwRequestWaitReplyPort
Address: AA5165E4
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwSecureConnectPort
Address: AA516898
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwSetSecurityObject
Address: AA514E46
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwSetSystemInformation
Address: AA516E44
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwSetValueKey
Address: AA51534C
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwShutdownSystem
Address: AA513FBC
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwSystemDebugControl
Address: AA5141E2
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwTerminateProcess
Address: AA513A68
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
Function Name: ZwTerminateThread
Address: AA513856
Driver Base: AA50A000
Driver End: AA543000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
Also, I tried to re-install AVG. I couldn't get it to install with Comodo, so I installed the Antivirus offered by comodo. Hopefully, I haven't lost the firewall features in the process. Can you tell by looking at the new Security check log.
Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 23
Adobe Flash Player 10.1.102.64
Adobe Reader 9.4.1
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
``````````End of Log````````````
-
Can you tell by looking at the new Security check log.
Yup. It's still there.
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
***************************************************
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
I downloaded the latest Adobe reader. I unchecked the (include McAfee) box.
Here is the Eset log:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=17e1e7d750000e45a6e1160e9aef7e3e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-31 10:54:49
# local_time=2010-12-31 04:54:49 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 33274637 33274637 0 0
# compatibility_mode=768 16777215 100 0 12701577 12701577 0 0
# compatibility_mode=1024 16777215 100 0 5290176 5290176 0 0
# compatibility_mode=3073 16777173 80 75 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=43626
# found=0
# cleaned=0
# scan_time=2054
Thanks
-
That looks good. Were you able to install a new AV? If there are no other issues, it's time for some cleanup.
Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
You may have a problem deleting one of the folders (nircma.exe) In that case, delete all the files in the folder that you can and leave it.
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.
To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
********************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*********************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
That looks good. Were you able to install a new AV?
Yes. I installed Comodo Antivirus. I lost my firewall, but found out I could reinstall the firewall fairly easy. I reinstalled the firewall and all seems to be working fine.
Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
I couldn't find any C:\Combo "anything" folders.
I could't find C:\WINDOWS\nircmd.exe
I did delete any combo fix files, like logs, that I could find. Also, C:\QooBox had a Folder called BackEvn that said access denied when I tried to delete it. It says make sure the disk is not full or write protected or to make sure the file is not in use.
No problems with the restore step and the TFC steps.
Use the Secunia Software Inspector to check for out of date software.
It asked me to update internet exporere, which I don't use. But just in case I might need to use it or another user would like to use it, I wanted to update it. Secunia gave me a link to Windows update and about 20 or so links showing me which updates I'm missing. But, when I ran the Windows Update from the Microsoft site, it said I wasn't missing any updates. What am I missing here, I must be missing something very obvious.
Thanks
-
did delete any combo fix files, like logs, that I could find. Also, C:\QooBox had a Folder called BackEvn that said access denied when I tried to delete it. It says make sure the disk is not full or write protected or to make sure the file is not in use.
Yes. That folder can't be deleted. Just clean out all the files that you can in the folder and leave it there.
What am I missing here, I must be missing something very obvious.
You're running IE 6. You should download IE 8