Computer Hope
Software => Computer viruses and spyware => Topic started by: gona87 on June 24, 2009, 01:15:14 PM
-
Hey everyone, I've got a bunch of problems.
A few months ago, internet explorer seemed to have a virus- when I did a google search, the results were all spam and porn. I deleted internet explorer using the add/remove software feature. (I now know this didn't get rid of it, read on please). It seemed to work and everything was fine.
So, now I use firefox. But a few days ago, advertisements started playing on my computer but just the sound. Every few minutes a new ad would play but I wouldn't see anything! I saw in the processes section of task manager that internet explorer was active on the computer despite being open. I then went to Add/Remove Windows Components and got rid of internet explorer again, seemingly for good. But no, it's back doing the same stuff.
I've been ending iexplorer.exe processes on the task manager (only for it to reappear again in about one minute), but also explorer.exe programs but is that the same thing? Just one of many questions.
And when I just restarted the computer, Firefox's google results were all spam as well! I ran something called Security Task Manager and it said some Java software running through internet was the highest risk, so I deleted it and supposedly permanently got rid of iexplorer.exe...again. So far, so good, as firefox's google search works again. WAIT, spoke too soon. Internet explorer is back in the system processes. I can hear it make those page loading clicks it makes, despite it not being open or me opening any pages on it.
I'm an unsure if this is related, but this past week when I start up my computer, THREE things pop up right when it turns on, and I have to click OK to get rid of them. They say the following:
The instruction at "0x636e331e" referenced memory at "0x0112c070." The memory could not be read.
The instruction at "0x636e331e" referenced memory at "0x00fac070." The memory could not be read.
The instruction at "0x636e1926" referenced memory at "0x63708e08." The memory could not be written.
Please help me, thanks!
-
http://www.computerhope.com/forum/index.php/topic,46313.0.html
go to above post the 3 logs and an expert will see them , harry
-
Where do I post the logs? I can't reply to that thread.
-
Post them here, that'll be perfect.
-
I'm sorry but SuperAntiSpyware and Malwarebytes do not function properly on my computer. This may have something to do with the apparent virus on my computer. I've never had problems like this before. The only log that worked is Hijack this. I'm not sure if this will be enough but here it is:
DDS.txt log below:
DDS (Ver_09-06-26.01) - NTFSx86
Run by Billy at 21:35:37.25 on Fri 06/26/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.243 [GMT -7:00]
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
============== Running Processes ===============
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Billy\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {b7f907ee-0a1b-43b8-a611-b429a184ad6b} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191260223699
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Notify: igfxcui - igfxsrvc.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\billy\applic~1\mozilla\firefox\profiles\waucp2wg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-21 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-21 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-21 39200]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-9-23 160792]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-6-21 159600]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-10-1 16384]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-21 33056]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2007-10-1 57216]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-24 24652]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-6-21 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-8-9 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-8-9 1095560]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
=============== Created Last 30 ================
2009-06-26 20:58 <DIR> --d----- c:\program files\CCleaner
2009-06-24 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-06-24 00:41 <DIR> --d----- c:\program files\Security Task Manager
2009-06-22 14:56 <DIR> --d----- C:\spoolerlogs
2009-06-21 01:42 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-21 01:42 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-21 01:42 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-21 01:42 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-06-21 01:40 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-21 01:39 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-21 01:39 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-21 01:39 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
==================== Find3M ====================
2009-05-26 21:58 9,634,304 a------- C:\iaplayer_2.71.14.0211-esd.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
============= FINISH: 21:37:47.60 ===============
-
Try the renamer download for Malwarbytes.
http://kixhelp.com/wr/files/mb/randmbam.exe
The randmbam.exe will try to create random names and shortcuts for Malwarebytes Anti Malware (MBAM) if you have it installed already.
If it installs then use this link to download the updates.
Download Malwarebytes' Anti-Malware Database - GT500.org
Just download it to the desktop and run the exe then run Malwarebytes Mbam renamer
i do not have a fix for sas , harry
-
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3
7/18/2009 2:16:28 PM
mbam-log-2009-07-18 (14-16-28).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125588
Time elapsed: 29 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhces8j0ecbr (Rogue.AntiVirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhces8j0ecbr (Rogue.AntiVirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
-
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information:
•ViewMgr.exe - Useless
•Viewpoint to Plunge Into Adware
It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
•Viewpoint
•Viewpoint Manager
•Viewpoint Media Player
•Viewpoint Toolbar
•Viewpoint Experience Technology
-
Thanks a lot, I had Viewpoint Manager installed so I removed the program. It got rid of the popup that always appeared immediately when I restarted the computer that said "Viewpoint Mgr has encountered a problem and needs to close"
However, iexplorer.exe is still running and taking up a lot of space, and I still hear it clicking- the noise it makes when internet is loading and/or reloading a page. Any suggestions?
-
I'm an unsure if this is related, but this past week when I start up my computer, THREE things pop up right when it turns on, and I have to click OK to get rid of them. They say the following:
The instruction at "0x636e331e" referenced memory at "0x0112c070." The memory could not be read.
The instruction at "0x636e331e" referenced memory at "0x00fac070." The memory could not be read.
The instruction at "0x636e1926" referenced memory at "0x63708e08." The memory could not be written.
http://www.computerhope.com/forum/index.php/board,1.0.html
go to above and post this and about the sound , it seems more for this forum
-
Run DDS again and post both logs please.
-
Just restarted my computer and now Hijack This will not run.
-
Download ComboFix from one of the below links. You must rename it before saving it!
Important! You MUST save ComboFix to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
Rename ComboFix to Combo-Fix before saving it to the desktop.
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif)
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on Combo-Fix.exe & follow the prompts.
Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
-
Here is my combo-fix log:
ComboFix 09-07-14.08 - Billy 07/18/2009 19:09.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.326 [GMT -7:00]
Running from: c:\documents and settings\Billy\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\UACxorlgjqxiegwvvbbm.sys
c:\windows\system32\UAChuowxjsnucgbamgnt.dat
c:\windows\system32\UACidhxpqfpqkaaqfmex.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjekrysmcimqsfktwx.log
c:\windows\system32\UACjvxuugjdtweesclvi.dll
c:\windows\system32\UACkbyttopnlpwqwxjqs.log
c:\windows\system32\UACqdtfqlulqijuacqhe.log
c:\windows\system32\UACtcvghldpwfkrkihch.dll
c:\windows\system32\UACunsvnpwakpmhbqltg.dll
c:\windows\system32\UACxjnkenxxfaakerqum.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.
2009-07-18 21:21 . 2009-07-18 21:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-18 21:21 . 2009-07-18 21:21 -------- d-----w- c:\documents and settings\Billy\Application Data\SUPERAntiSpyware.com
2009-07-18 21:20 . 2009-07-18 21:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-18 20:30 . 2009-07-18 20:30 -------- d-----w- c:\documents and settings\Billy\Application Data\Malwarebytes
2009-07-17 00:55 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 00:55 . 2009-07-17 00:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 00:55 . 2009-07-18 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 00:55 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 05:09 . 2009-06-29 05:09 -------- d-----w- c:\documents and settings\Billy\Application Data\Uniblue
2009-06-27 03:58 . 2009-06-27 03:58 -------- d-----w- c:\program files\CCleaner
2009-06-27 03:51 . 2009-06-27 03:51 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\torrents.to
2009-06-24 07:41 . 2009-06-29 05:05 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SecTaskMan
2009-06-24 07:41 . 2009-06-29 05:05 -------- d-----w- c:\program files\Security Task Manager
2009-06-22 21:56 . 2009-06-22 21:56 -------- d-----w- C:\spoolerlogs
2009-06-21 08:42 . 2009-03-31 18:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-21 08:42 . 2009-03-31 18:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-21 08:42 . 2009-03-31 18:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-06-21 08:42 . 2009-03-31 18:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-21 08:40 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-21 08:39 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-21 08:39 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-21 08:39 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 21:45 . 2008-04-24 22:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-06-27 04:27 . 2008-08-10 05:17 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-06-27 04:26 . 2008-08-10 05:17 -------- d-----w- c:\program files\Spyware Doctor
2009-06-27 03:53 . 2008-06-02 02:04 -------- d-----w- c:\program files\Conduit
2009-06-27 03:53 . 2008-06-02 02:04 -------- d-----w- c:\program files\torrents.to
2009-06-21 08:40 . 2008-08-10 23:18 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-17 19:06 . 2007-10-01 18:25 20216 ----a-w- c:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-11 21:44 . 2009-06-11 21:44 1878984 ----a-w- c:\documents and settings\Billy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:12 . 2009-06-02 17:12 390664 ----a-w- c:\documents and settings\Billy\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-27 04:59 . 2009-05-27 04:52 -------- d-----w- c:\program files\PCFriendly
2009-05-27 04:59 . 2009-05-27 04:58 -------- d-----w- c:\program files\InterActual
2009-05-27 04:58 . 2009-05-27 04:57 9634304 ----a-w- C:\iaplayer_2.71.14.0211-esd.exe
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-13 07:44 . 2008-12-06 16:45 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-15 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-1 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/21/2009 1:39 AM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [6/21/2009 1:42 AM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [6/21/2009 1:42 AM 39200]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [9/23/2008 10:45 AM 160792]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/21/2009 1:40 AM 159600]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [10/1/2007 9:48 AM 16384]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [10/1/2007 9:55 AM 57216]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [6/21/2009 1:39 AM 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/9/2008 10:17 PM 348752]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [6/21/2009 1:42 AM 33056]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
- - - - ORPHANS REMOVED - - - -
BHO-{b7f907ee-0a1b-43b8-a611-b429a184ad6b} - (no file)
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\docume~1\Billy\APPLIC~1\Mozilla\Firefox\Profiles\waucp2wg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 19:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1252)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'lsass.exe'(1308)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-07-19 19:16
ComboFix-quarantined-files.txt 2009-07-19 02:16
Pre-Run: 26,917,011,456 bytes free
Post-Run: 26,976,337,920 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
167 --- E O F --- 2009-07-18 19:13
-
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware (http://en.wikipedia.org/wiki/Foistware) instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information:
- ViewMgr.exe - Useless (http://www.greatis.com/appdata/u/v/viewmgr.exe.htm)
- Viewpoint to Plunge Into Adware (http://www.clickz.com/news/article.php/3561546/)
It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.
- Viewpoint
- Viewpoint Manager
- Viewpoint Media Player
- Viewpoint Toolbar
- Viewpoint Experience Technology
.
----------
How is the computer running now?
-
Thanks to combo-fix, I think everything is OK now! Thanks!
-
Uninstall ComboFix
Click Start then Run and enter everything from the Code box below into the run box and then click OK.
"%userprofile%\Desktop\Combo-Fix" /u
Note: The space between the Combo-fix" and the /u must be there.
The above procedure will- Delete ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html). Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.