Computer Hope
Software => Computer viruses and spyware => Topic started by: telegra1 on June 05, 2010, 10:39:01 AM
-
I have been battling these problems for several weeks now. I have received much help from these forums but it is now time to post for my own problem. The original infection seems to have been a Fake Alert trojan. This included corruption of the rundll32.exe that disabled just about everything. With help from this forum I was able to repair the rundll32. Since then when doing a McAfee scan I would get an alert telling me McAfee found a root kit. McAfee recommended a program called McAfee Pre Scan which I have not been able to find on their site. I performed Safe Mode scans as advised but McAfee did not detect anything.
I have installed Comodo Firewall, MalwareBytes, Combiofix, and HijackThis. MalwareBytes does not detect anything in Normal mode or Safe Mode.
Symptoms are as follows:
1. Redirected searches, Google, Bing
2. Mozilla Firefox opening a tab on its own
3. Task Bar has changed from XP blue to old Windows gray
4. Unable to connect network, IE advises Winsock error
5. When I go to Microsoft Updates I am redirected and cannot access MS Update.
So that is where it stands now. Item 4 is most recent occurring just last night. I tried a Winsock repair tool (LSPFix) that told me that everything was fine with Winsock. Still unable to connect.
I have a recent HijackThis log. I have deleted a couple items in this log, the omzun.exe, ctfmon.exe and two others that the tool on this site could not identify. I have also deleted MSN Messenger. The log is posted below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:27 PM, on 6/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [{33417D3A-51C4-0B08-676C-0F42AC85C204}] "C:\Documents and Settings\Jon\Application Data\Kuyzwe\omzun.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272167738000
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
--
End of file - 7488 bytes
-
Clik Here...and follow the Instructions... (http://www.computerhope.com/forum/index.php/topic,46313.0.html)
-
OK Thanks, Running the CCleaner did not seem to reveal anything. I did a system restore back to June 1 and so I now have the familiar blue task bar back. I had to do a system restore in order to get back online to download Super AntiSpyware. I ran it first with the default settings and it quarantined 108 cookies and one DLL as shown below. Running it a second time with the recommended settings did not reveal any more problems.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/05/2010 at 02:00 PM
Application Version : 4.38.1004
Core Rules Database Version : 5036
Trace Rules Database Version: 2848
Scan type : Complete Scan
Total Scan Time : 00:37:55
Memory items scanned : 634
Memory threats detected : 0
Registry items scanned : 5762
Registry threats detected : 0
File items scanned : 22437
File threats detected : 109
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertise[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[4].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][4].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@yadro[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][4].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[4].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][6].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][5].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[5].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickbank[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickbank[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
Trojan.Agent/Gen
C:\WINDOWS\SYSTEM32\MIREPCMW.DLL
-
MalwareBytes scan with no detections. I looked through my five previous logs and always no detections.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4171
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/5/2010 3:31:12 PM
mbam-log-2010-06-05 (15-31-12).txt
Scan type: Quick scan
Objects scanned: 131363
Time elapsed: 5 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
OK, I have followed the directions and performed the steps as requested. Below is the HJT log file. As well I have attached the log files posted up thread with this post.
I mentioned earlier that I had restored the blue task bar. At one point I rebooted and the task bar had returned to old style gray. I had to do another sys restore and had to delete old Java files once again. I will do another system restore point before rebooting again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:52 PM, on 6/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [{33417D3A-51C4-0B08-676C-0F42AC85C204}] "C:\Documents and Settings\Jon\Application Data\Kuyzwe\omzun.exe"
O4 - .DEFAULT User Startup: gyqig.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272167738000
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
--
End of file - 7743 bytes
[recovering disk space - old attachment deleted by admin]
-
I think your next step is download the following free Antivirus tools:
# Avast! Home Edition
# AVG Free Edition
# AntiVir Personal
# Microsoft Security Essentials
Of course, uninstall any other antivirus first, then install one, scan, clean, remove, and repeat.
-
I realize that is an option. It seems incompetent for McAffee to detect a rootkit and yet not do anything about it. Their forum includes threads on FakeAlert yet they don't offer a real fix.
Thanks for the suggestion, I will wait for someone with more mojo ;) to tell me that before I start uninstalling McAfee.
-
Well, you know what, I suppose you don't exactly have to uninstall it. You should be able to install any one of those applications along side it. So what Rootkit exactly is McAfee reporting again? They have several removing tools available on their website, and (go figure;) an $80 service for virus removal, which I would not recommend.
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
=========================================
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [{33417D3A-51C4-0B08-676C-0F42AC85C204}] "C:\Documents and Settings\Jon\Application Data\Kuyzwe\omzun.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
=======================================
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
-
Awesome! I feel like progress is being made. ComboFix detected a rootkit, quarantined it and rebooted. Before scanning with ComboFix I googled a few times without being redirected so that is greatly appreciated.
I haven't tried to get to Windows Update yet but I will after posting. Edit:Successful update from MS, three security related updates! Thanks again. 8)
ComboFix 10-06-06.01 - Jon 06/06/2010 23:12:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2606 [GMT -7:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Jon\g2mdlhlpx.exe
c:\windows\system32\mirepcmw.dll
Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.
2010-06-06 00:35 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-05 23:47 . 2010-06-05 23:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-05 23:43 . 2010-06-05 23:46 -------- d-----w- c:\documents and settings\Jon\Application Data\Kuyzwe
2010-06-05 20:17 . 2010-06-05 20:17 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
2010-06-05 20:16 . 2010-06-05 23:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 02:29 . 2010-06-01 06:12 -------- d-----w- C:\AstroGeometry
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 06:09 . 2010-04-20 17:48 0 ----a-w- c:\windows\system32\tmp.tmp
2010-06-07 05:46 . 2010-04-09 08:26 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-07 05:46 . 2010-04-09 08:25 87824 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-06-07 05:46 . 2010-04-09 08:25 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-07 05:46 . 2010-04-09 08:25 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-06-07 05:46 . 2010-04-09 08:25 230360 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-06 00:35 . 2009-06-27 17:06 -------- d-----w- c:\program files\Java
2010-06-06 00:18 . 2009-06-27 17:06 -------- d-----w- c:\program files\Common Files\Java
2010-06-06 00:03 . 2004-08-04 06:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-06-05 02:28 . 2009-08-25 05:43 158528 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-31 20:52 . 2009-11-02 06:19 -------- d-----w- c:\documents and settings\Jon\Application Data\Odbyzi
2010-05-26 04:53 . 2010-04-23 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 04:35 . 2010-04-06 14:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-22 20:31 . 2009-04-28 17:28 -------- d-----w- c:\program files\McAfee
2010-05-02 21:28 . 2010-05-02 05:04 -------- d-----w- c:\program files\Google
2010-05-02 20:23 . 2010-05-02 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2010-05-02 17:30 . 2010-05-02 05:04 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2010-05-02 15:52 . 2010-05-02 05:15 -------- d-----w- c:\documents and settings\Jon\Application Data\skypePM
2010-05-02 05:15 . 2010-05-02 05:15 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-02 05:03 . 2010-05-02 05:03 -------- d-----r- c:\program files\Skype
2010-05-02 05:03 . 2010-05-02 05:03 -------- d-----w- c:\program files\Common Files\Skype
2010-05-02 05:03 . 2010-05-02 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-30 14:42 . 2010-04-30 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-04-30 14:40 . 2010-04-23 03:10 -------- d-----w- c:\program files\COMODO
2010-04-30 14:37 . 2010-04-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-30 14:36 . 2010-04-23 03:10 -------- d-----w- c:\documents and settings\Jon\Application Data\Comodo
2010-04-29 22:39 . 2010-04-23 02:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-04-23 02:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 02:35 . 2010-04-23 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-23 02:25 . 2010-04-23 02:25 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes
2010-04-23 02:25 . 2010-04-23 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-17 22:44 . 2010-04-17 22:44 -------- d-----w- c:\program files\Trend Micro
2010-04-16 05:55 . 2010-04-16 04:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-10 04:24 . 2010-04-10 04:24 -------- d-----w- c:\program files\Support Tools
2010-04-10 04:24 . 2009-04-24 23:44 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-10 06:15 . 2004-08-04 07:56 420352 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-04-16_04.34.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-07 06:11 . 2010-06-07 06:11 16384 c:\windows\Temp\Perflib_Perfdata_15c.dat
- 2004-08-04 06:00 . 2010-04-10 18:55 42112 c:\windows\system32\dllcache\imapi.sys
+ 2004-08-04 06:00 . 2010-06-06 00:03 42112 c:\windows\system32\dllcache\imapi.sys
+ 2010-05-02 05:11 . 2010-05-02 05:11 22528 c:\windows\Installer\8846d.msi
+ 2009-08-07 02:23 . 2009-08-07 02:23 215904 c:\windows\system32\muweb.dll
+ 2010-06-06 00:35 . 2010-04-13 00:29 153376 c:\windows\system32\javaws.exe
+ 2010-06-06 00:35 . 2010-04-13 00:29 145184 c:\windows\system32\javaw.exe
- 2009-09-12 17:14 . 2009-07-25 12:23 145184 c:\windows\system32\javaw.exe
+ 2010-06-06 00:35 . 2010-04-13 00:29 145184 c:\windows\system32\java.exe
- 2009-09-12 17:14 . 2009-07-25 12:23 145184 c:\windows\system32\java.exe
- 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2004-08-04 06:07 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2010-06-01 17:08 . 2010-06-01 17:08 348160 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2010-05-02 05:04 . 2010-05-02 05:04 700416 c:\windows\Installer\88464.msi
+ 2010-06-06 00:35 . 2010-06-06 00:35 180224 c:\windows\Installer\2ad1f8.msi
+ 2010-05-02 05:03 . 2010-05-02 05:03 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-06-05 19:35 . 2010-06-05 23:47 8420340 c:\windows\system32\Restore\rstrlog.dat
+ 2010-05-02 05:03 . 2010-05-02 05:03 1575936 c:\windows\Installer\8845f.msi
+ 2010-04-30 14:40 . 2010-04-30 14:40 3651072 c:\windows\Installer\1c391.msi
+ 2010-04-30 14:37 . 2010-04-30 14:37 1516544 c:\windows\Installer\1c38d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]
"{33417D3A-51C4-0B08-676C-0F42AC85C204}"="c:\documents and settings\Jon\Application Data\Kuyzwe\omzun.exe" [2009-10-17 133146]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2010-05-07 642856]
"VX6000"="c:\windows\vVX6000.exe" [2009-06-27 759296]
"PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-09-04 315392]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-07 2039240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ubxo.exe [2010-5-20 132687]
c:\documents and settings\Jon\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirepcmw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [4/9/2010 1:25 AM 230360]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/9/2010 1:25 AM 25240]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [9/11/2009 11:39 PM 12032]
R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [9/11/2009 11:39 PM 39424]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/26/2009 5:21 PM 2069504]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 12:43 PM 204800]
.
Contents of the 'Scheduled Tasks' folder
2010-06-07 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-06 21:11]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: microsoft.com\www.update
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\7k49vc2y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sfgate.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Jon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 23:20
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-06 23:22:25
ComboFix-quarantined-files.txt 2010-06-07 06:22
ComboFix2.txt 2010-04-16 04:37
Pre-Run: 60,145,414,144 bytes free
Post-Run: 60,256,358,400 bytes free
- - End Of File - - 5B1895CC672BFD8BC9CA2192D8A7C7BB
[recovering disk space - old attachment deleted by admin]
-
Edited
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
c:\windows\system32\tmp.tmp
DDS::
Trusted Zone: microsoft.com\www.update
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
=============================
Download GMER Rootkit Detector (http://majorgeeks.com/GMER_d5198.html) and save it your desktop.
* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.
-
Completed the two scans. GMER ended with a popup that said "Scan Stopped!". Not sure if that is normal or not but I did not do anything to stop it.
ComboFix 10-06-06.01 - Jon 06/07/2010 19:37:09.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2569 [GMT -7:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FILE ::
"c:\windows\system32\tmp.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\tmp.tmp
.
((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.
2010-06-06 00:35 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-05 23:47 . 2010-06-05 23:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-05 23:43 . 2010-06-05 23:46 -------- d-----w- c:\documents and settings\Jon\Application Data\Kuyzwe
2010-06-05 20:17 . 2010-06-05 20:17 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
2010-06-05 20:16 . 2010-06-05 23:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 02:29 . 2010-06-01 06:12 -------- d-----w- C:\AstroGeometry
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 05:46 . 2010-04-09 08:26 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-07 05:46 . 2010-04-09 08:25 87824 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-06-07 05:46 . 2010-04-09 08:25 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-07 05:46 . 2010-04-09 08:25 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-06-07 05:46 . 2010-04-09 08:25 230360 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-06 00:35 . 2009-06-27 17:06 -------- d-----w- c:\program files\Java
2010-06-06 00:18 . 2009-06-27 17:06 -------- d-----w- c:\program files\Common Files\Java
2010-06-06 00:03 . 2004-08-04 06:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-06-05 02:28 . 2009-08-25 05:43 158528 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-31 20:52 . 2009-11-02 06:19 -------- d-----w- c:\documents and settings\Jon\Application Data\Odbyzi
2010-05-26 04:53 . 2010-04-23 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 04:35 . 2010-04-06 14:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-22 20:31 . 2009-04-28 17:28 -------- d-----w- c:\program files\McAfee
2010-05-02 21:28 . 2010-05-02 05:04 -------- d-----w- c:\program files\Google
2010-05-02 20:23 . 2010-05-02 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2010-05-02 17:30 . 2010-05-02 05:04 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2010-05-02 15:52 . 2010-05-02 05:15 -------- d-----w- c:\documents and settings\Jon\Application Data\skypePM
2010-05-02 05:15 . 2010-05-02 05:15 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-02 05:03 . 2010-05-02 05:03 -------- d-----r- c:\program files\Skype
2010-05-02 05:03 . 2010-05-02 05:03 -------- d-----w- c:\program files\Common Files\Skype
2010-05-02 05:03 . 2010-05-02 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-30 14:42 . 2010-04-30 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-04-30 14:40 . 2010-04-23 03:10 -------- d-----w- c:\program files\COMODO
2010-04-30 14:37 . 2010-04-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-30 14:36 . 2010-04-23 03:10 -------- d-----w- c:\documents and settings\Jon\Application Data\Comodo
2010-04-29 22:39 . 2010-04-23 02:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-04-23 02:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 02:35 . 2010-04-23 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-23 02:25 . 2010-04-23 02:25 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes
2010-04-23 02:25 . 2010-04-23 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-17 22:44 . 2010-04-17 22:44 -------- d-----w- c:\program files\Trend Micro
2010-04-16 05:55 . 2010-04-16 04:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-10 04:24 . 2010-04-10 04:24 -------- d-----w- c:\program files\Support Tools
2010-04-10 04:24 . 2009-04-24 23:44 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-10 06:15 . 2004-08-04 07:56 420352 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-04-16_04.34.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-08 02:45 . 2010-06-08 02:45 16384 c:\windows\temp\Perflib_Perfdata_5ac.dat
- 2008-10-22 09:47 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2004-08-04 06:00 . 2010-04-10 18:55 42112 c:\windows\system32\dllcache\imapi.sys
+ 2004-08-04 06:00 . 2010-06-06 00:03 42112 c:\windows\system32\dllcache\imapi.sys
+ 2010-05-02 05:11 . 2010-05-02 05:11 22528 c:\windows\Installer\8846d.msi
+ 2009-08-07 02:23 . 2009-08-07 02:23 215904 c:\windows\system32\muweb.dll
+ 2010-06-06 00:35 . 2010-04-13 00:29 153376 c:\windows\system32\javaws.exe
+ 2010-06-06 00:35 . 2010-04-13 00:29 145184 c:\windows\system32\javaw.exe
- 2009-09-12 17:14 . 2009-07-25 12:23 145184 c:\windows\system32\javaw.exe
- 2009-09-12 17:14 . 2009-07-25 12:23 145184 c:\windows\system32\java.exe
+ 2010-06-06 00:35 . 2010-04-13 00:29 145184 c:\windows\system32\java.exe
- 2009-04-24 23:42 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2009-04-24 23:42 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2004-08-04 06:07 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
- 2009-04-25 10:01 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2009-04-25 10:01 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-06-01 17:08 . 2010-06-01 17:08 348160 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2010-05-02 05:04 . 2010-05-02 05:04 700416 c:\windows\Installer\88464.msi
+ 2010-06-06 00:35 . 2010-06-06 00:35 180224 c:\windows\Installer\2ad1f8.msi
+ 2010-05-02 05:03 . 2010-05-02 05:03 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-06-05 19:35 . 2010-06-05 23:47 8420340 c:\windows\system32\Restore\rstrlog.dat
+ 2009-08-13 00:10 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2009-08-13 00:10 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2010-05-02 05:03 . 2010-05-02 05:03 1575936 c:\windows\Installer\8845f.msi
+ 2010-04-30 14:40 . 2010-04-30 14:40 3651072 c:\windows\Installer\1c391.msi
+ 2010-04-30 14:37 . 2010-04-30 14:37 1516544 c:\windows\Installer\1c38d.msi
+ 2009-04-27 18:02 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]
"{33417D3A-51C4-0B08-676C-0F42AC85C204}"="c:\documents and settings\Jon\Application Data\Kuyzwe\omzun.exe" [2009-10-17 133146]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2010-05-07 642856]
"VX6000"="c:\windows\vVX6000.exe" [2009-06-27 759296]
"PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-09-04 315392]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-07 2039240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ubxo.exe [2010-5-20 132687]
c:\documents and settings\Jon\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirepcmw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [4/9/2010 1:25 AM 230360]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/9/2010 1:25 AM 25240]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 12:43 PM 204800]
R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [9/11/2009 11:39 PM 12032]
R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [9/11/2009 11:39 PM 39424]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/26/2009 5:21 PM 2069504]
.
Contents of the 'Scheduled Tasks' folder
2010-06-08 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-06 21:11]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\7k49vc2y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sfgate.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 19:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2828)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\system32\java.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-06-07 19:53:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-08 02:53
ComboFix2.txt 2010-06-07 06:22
ComboFix3.txt 2010-04-16 04:37
Pre-Run: 60,252,954,624 bytes free
Post-Run: 60,171,567,104 bytes free
- - End Of File - - AD4898B434D9F9AEB285CFACD04D6697
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 20:56:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jon\LOCALS~1\Temp\fgncrfob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB761D704]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB761CCA8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB761D36A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xB761DF58]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB761CB84]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB761FFCC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB762039C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xB761C56C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xB761D8F0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xB761DAE4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB761C35C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xB761E67A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xB761E8D4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB761FA4E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB761CF44]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB761D546]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenKey [0xB761DF48]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xB761BF3C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB761D1F4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xB761C162]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryKey [0xB761EAF0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryMultipleValueKey [0xB761EF6E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryValueKey [0xB761ED10]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB761E492]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB761F4E2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB761F796]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xB761DD20]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB761FD14]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xB761E21A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB761CEDE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB761D0E0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xB761C982]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB761C76C]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution + 19A 804E49F4 4 Bytes CALL 5778015A
.text ntoskrnl.exe!ZwYieldExecution + 2F6 804E4B50 8 Bytes JMP EF6EB761
? Combo-Fix.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB99EC000, 0x1C5D58, 0xE8000020]
? C:\DOCUME~1\Jon\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[240] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[928] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 004F7CB0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 001438BA
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00143A83
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00143B2A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0013508F
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 001351D1
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00133A1B
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00133A58
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00133A7E
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0013AC94
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00134DD2
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00134E96
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00134D8A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00134E65
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00134B96
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00134BEF
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00134E16
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00134CE9
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00134C48
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 000838BA
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00083A83
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00083B2A
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0007508F
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 000751D1
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00073A1B
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00073A58
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00073A7E
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0007AC94
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00074DD2
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00074E96
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00074D8A
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00074E65
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00074B96
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00074BEF
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00074E16
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00074CE9
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00074C48
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10025D20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CEC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 10025DA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10025E40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 10025E20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10025D60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10025C60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10025D00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 10025D80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10025D40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 10025CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10025CE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 10025DC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10025C80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 100234C0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CFE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 10025CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10025BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10025940 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10025BE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 100259A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025DE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025E00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10025C40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10025980 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 100259E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 100259C0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10025B80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10025A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!OpenFile 7C821982 5 Bytes JMP 10025BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10025B00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10025B60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10025B40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10025A20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10025A00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10025A80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10025AE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10025A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10025B20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10025960 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10025C20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10026890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 1001F730 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 100265F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 1001FF40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10026DE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10026B00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10027420 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 100258C0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 100258E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10025920 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10025900 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100278A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\NOTEPAD.EXE[2332] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10027660 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Jon\Desktop\gmer.exe[3132] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10025D20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Jon\Desktop\gm<
-
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.
* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
-
Edited.
-
Here is the RootRepeal Log.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/08 20:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A8000 Size: 187776 File Visible: - Signed: Yes
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: Yes
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB6A40000 Size: 138496 File Visible: - Signed: Yes
Status: -
Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xF79C5000 Size: 5152 File Visible: - Signed: Yes
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0xF749A000 Size: 96512 File Visible: - Signed: Yes
Status: -
Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF065000 Size: 626688 File Visible: - Signed: Yes
Status: -
Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 339968 File Visible: - Signed: Yes
Status: -
Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB8F4B000 Size: 3891200 File Visible: - Signed: Yes
Status: -
Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF1CD000 Size: 3821568 File Visible: - Signed: Yes
Status: -
Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF0FE000 Size: 540672 File Visible: - Signed: Yes
Status: -
Name: atiok3x2.dll
Image Path: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBF182000 Size: 307200 File Visible: - Signed: Yes
Status: -
Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF572000 Size: 2670592 File Visible: - Signed: Yes
Status: -
Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: Yes
Status: -
Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7A68000 Size: 3072 File Visible: - Signed: Yes
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79D7000 Size: 4224 File Visible: - Signed: Yes
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: Yes
Status: -
Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7517000 Size: 63744 File Visible: - Signed: Yes
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF76A7000 Size: 62976 File Visible: - Signed: Yes
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7637000 Size: 53248 File Visible: - Signed: Yes
Status: -
Name: cmdguard.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Address: 0xB6B64000 Size: 222208 File Visible: - Signed: Yes
Status: -
Name: cmdhlp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cmdhlp.sys
Address: 0xF777F000 Size: 18304 File Visible: - Signed: Yes
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xF7627000 Size: 36352 File Visible: - Signed: Yes
Status: -
Name: dmio.sys
Image Path: dmio.sys
Address: 0xF74B2000 Size: 153344 File Visible: - Signed: Yes
Status: -
Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798D000 Size: 5888 File Visible: - Signed: Yes
Status: -
Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7507000 Size: 61440 File Visible: - Signed: Yes
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB6BAF000 Size: 12288 File Visible: - Signed: Yes
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: Yes
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xB651D000 Size: 4096 File Visible: - Signed: Yes
Status: -
Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF77F7000 Size: 27392 File Visible: - Signed: Yes
Status: -
Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA750000 Size: 44544 File Visible: - Signed: Yes
Status: -
Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF7757000 Size: 20480 File Visible: - Signed: Yes
Status: -
Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF747A000 Size: 129792 File Visible: - Signed: Yes
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79D5000 Size: 7936 File Visible: - Signed: Yes
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74D8000 Size: 125056 File Visible: - Signed: Yes
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806FF000 Size: 134400 File Visible: - Signed: Yes
Status: -
Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB8F0F000 Size: 163840 File Visible: - Signed: Yes
Status: -
Name: HdAudio.sys
Image Path: C:\WINDOWS\system32\drivers\HdAudio.sys
Address: 0xB6CE2000 Size: 131072 File Visible: - Signed: Yes
Status: -
Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBA710000 Size: 36864 File Visible: - Signed: Yes
Status: -
Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xB9341000 Size: 28672 File Visible: - Signed: Yes
Status: -
Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB8E0D000 Size: 10368 File Visible: - Signed: Yes
Status: -
Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB2D37000 Size: 265728 File Visible: - Signed: Yes
Status: -
Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xB9D73000 Size: 52480 File Visible: - Signed: Yes
Status: -
Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7697000 Size: 42112 File Visible: - Signed: Yes
Status: -
Name: inspect.sys
Image Path: inspect.sys
Address: 0xF743D000 Size: 80512 File Visible: - Signed: Yes
Status: -
Name: intelide.sys
Image Path: intelide.sys
Address: 0xF798B000 Size: 5504 File Visible: - Signed: Yes
Status: -
Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xB9D83000 Size: 36352 File Visible: - Signed: Yes
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB6AB2000 Size: 152832 File Visible: - Signed: Yes
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB6B31000 Size: 75264 File Visible: - Signed: Yes
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 37248 File Visible: - Signed: Yes
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF77FF000 Size: 24576 File Visible: - Signed: Yes
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: Yes
Status: -
Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB280B000 Size: 172416 File Visible: - Signed: Yes
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB8E7D000 Size: 143360 File Visible: - Signed: Yes
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7451000 Size: 92928 File Visible: - Signed: Yes
Status: -
Name: lknuhst.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lknuhst.sys
Address: 0xBA6F6000 Size: 12032 File Visible: - Signed: No
Status: -
Name: lknuhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lknuhub.sys
Address: 0xF7547000 Size: 39424 File Visible: - Signed: No
Status: -
Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xB2EF1000 Size: 164672 File Visible: - Signed: Yes
Status: -
Name: mferkdk.sys
Image Path: C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
Address: 0xF7787000 Size: 25088 File Visible: - Signed: Yes
Status: -
Name: mfetdik.sys
Image Path: C:\WINDOWS\system32\drivers\mfetdik.sys
Address: 0xBA780000 Size: 45376 File Visible: - Signed: Yes
Status: -
Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79D9000 Size: 4224 File Visible: - Signed: Yes
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7817000 Size: 23040 File Visible: - Signed: Yes
Status: -
Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB8E09000 Size: 12160 File Visible: - Signed: Yes
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7607000 Size: 42368 File Visible: - Signed: Yes
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB69A5000 Size: 455680 File Visible: - Signed: Yes
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF776F000 Size: 19072 File Visible: - Signed: Yes
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF76F7000 Size: 35072 File Visible: - Signed: Yes
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA6FA000 Size: 15488 File Visible: - Signed: Yes
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xF787D000 Size: 105344 File Visible: - Signed: Yes
Status: -
Name: NDIS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\NDIS.SYS
Address: 0xF7410000 Size: 182656 File Visible: - Signed: Yes
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA7C0000 Size: 10112 File Visible: - Signed: Yes
Status: -
Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB40DC000 Size: 14592 File Visible: - Signed: Yes
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB8E66000 Size: 91520 File Visible: - Signed: Yes
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7557000 Size: 40576 File Visible: - Signed: Yes
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA760000 Size: 34688 File Visible: - Signed: Yes
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB6A62000 Size: 162816 File Visible: - Signed: Yes
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7777000 Size: 30848 File Visible: - Signed: Yes
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574976 File Visible: - Signed: Yes
Status: -
Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: Yes
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7AAE000 Size: 2944 File Visible: - Signed: Yes
Status: -
Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB8EA0000 Size: 80128 File Visible: - Signed: Yes
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 19712 File Visible: - Signed: Yes
Status: -
Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF79B9000 Size: 6784 File Visible: - Signed: Yes
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xF7597000 Size: 68224 File Visible: - Signed: Yes
Status: -
Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: Yes
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: Yes
Status: -
Name: pnarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\pnarp.sys
Address: 0xB66E3000 Size: 18560 File Visible: - Signed: Yes
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: Yes
Status: -
Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB6CBE000 Size: 147456 File Visible: - Signed: Yes
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB8E55000 Size: 69120 File Visible: - Signed: Yes
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF7807000 Size: 17792 File Visible: - Signed: Yes
Status: -
Name: purendis.sys
Image Path: C:\WINDOWS\system32\DRIVERS\purendis.sys
Address: 0xB66DB000 Size: 19840 File Visible: - Signed: Yes
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBA7E4000 Size: 8832 File Visible: - Signed: Yes
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF76C7000 Size: 51328 File Visible: - Signed: Yes
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF76D7000 Size: 41472 File Visible: - Signed: Yes
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF76E7000 Size: 48384 File Visible: - Signed: Yes
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF780F000 Size: 16512 File Visible: - Signed: Yes
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: Yes
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB6A15000 Size: 175744 File Visible: - Signed: Yes
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79DB000 Size: 4224 File Visible: - Signed: Yes
Status: -
Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB8E25000 Size: 196224 File Visible: - Signed: Yes
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF76B7000 Size: 57600 File Visible: - Signed: Yes
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3622000 Size: 49152 File Visible: No Signed: No
Status: -
Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA7C8000 Size: 15744 File Visible: - Signed: Yes
Status: -
Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB9D63000 Size: 64512 File Visible: - Signed: Yes
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xF7468000 Size: 73472 File Visible: - Signed: Yes
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB369A000 Size: 353792 File Visible: - Signed: Yes
Status: -
Name: STREAM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Address: 0xBA740000 Size: 53248 File Visible: - Signed: Yes
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79C7000 Size: 4352 File Visible: - Signed: Yes
Status: -
Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB3FD8000 Size: 60800 File Visible: - Signed: Yes
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB6AD8000 Size: 361600 File Visible: - Signed: Yes
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7717000 Size: 20480 File Visible: - Signed: Yes
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7587000 Size: 40704 File Visible: - Signed: Yes
Status: -
Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB8D9F000 Size: 384768 File Visible: - Signed: Yes
Status: -
Name: usbaudio.sys
Image Path: C:\WINDOWS\system32\drivers\usbaudio.sys
Address: 0xBA730000 Size: 60032 File Visible: - Signed: Yes
Status: -
Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF778F000 Size: 32128 File Visible: - Signed: Yes
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79D1000 Size: 8192 File Visible: - Signed: Yes
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF77EF000 Size: 30208 File Visible: - Signed: Yes
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA7A0000 Size: 59520 File Visible: - Signed: Yes
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB8EB4000 Size: 147456 File Visible: - Signed: Yes
Status: -
Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF77E7000 Size: 20608 File Visible: - Signed: Yes
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7767000 Size: 20992 File Visible: - Signed: Yes
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8F37000 Size: 81920 File Visible: - Signed: Yes
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7617000 Size: 52352 File Visible: - Signed: Yes
Status: -
Name: VX6000Xp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys
Address: 0xB6798000 Size: 2068480 File Visible: - Signed: Yes
Status: -
Name: VX6KCamd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\VX6KCamd.sys
Address: 0xB9349000 Size: 28672 File Visible: - Signed: Yes
Status: -
Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA770000 Size: 34560 File Visible: - Signed: Yes
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7797000 Size: 20480 File Visible: - Signed: Yes
Status: -
Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB3E4B000 Size: 83072 File Visible: - Signed: Yes
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: Yes
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: Yes
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: Yes
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: Yes
Status: -
[recovering disk space - old attachment deleted by admin]
-
How is your computer running now? Any more redirects?
-
No more redirects. Everything seems to be running fine. My gf said she had some pop ups yesterday. I wasn't home but it wasn't the fake security alerts. I have been able to update XP so overall I think I am in good shape.
I wonder about IO Bit Advanced System Care and if it really helps or not and about switching McAfee for one of the anti virus products recommended here.
I really appreciate your help and input, thanks.
-
Well, that sound good. Let's run one more scan and if that comes up clean, we'll do some clean-up. I'll have some more suggestions about how to keep your computer safe in the clean-up speech.
I'd like us to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Wow, 33 items found, was this expected?
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a0d5c9e1b047ac48af0108484ba6a6e9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-10 05:13:14
# local_time=2010-06-09 10:13:14 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 4507239 4507239 0 0
# compatibility_mode=3073 16777213 80 92 0 11094560 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=77165
# found=33
# cleaned=33
# scan_time=8895
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ubxo.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\gyqig.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jon\Application Data\Kuyzwe\omzun.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\46\2ef6a5ae-29c19df4 a variant of Java/TrojanDownloader.Agent.NBE trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-4af80629 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-6a642e70 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-2e86c9ca a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\63\43e0867f-1c23f9a1 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\mirepcmw.dll.vir a variant of Win32/Agent.WQK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\imapi.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP36\A0018169.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP46\A0022896.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP46\A0022906.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP48\A0026253.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP48\A0026255.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP48\A0026256.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP49\A0029852.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP49\A0029853.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP49\A0029883.dll a variant of Win32/Agent.WQK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP52\A0030305.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP52\A0030306.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP52\A0032444.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP52\A0032446.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP52\A0032447.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP52\A0035015.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP52\A0035016.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP55\A0036642.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP55\A0036698.dll a variant of Win32/Agent.WQK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP59\A0039289.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP59\A0039290.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP59\A0039291.exe a variant of Win32/Kryptik.EMT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CB71ABFF-714E-48BB-873E-6FB22EA024B9}\RP59\A0039292.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
[recovering disk space - old attachment deleted by admin]
-
The most of these are duplicates and most were in System Restore.
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
==============================
Download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) and save it to your desktop.
1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.
If there are any tools/programs left, install them or delete them.
==============================
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
=================================
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
I have been away for a couple days. Just finished your last suggestions. Thank you so much. The computer is running really well and I am very happy with the results. You turned a source of frustration and anger into a workable and enjoyable experience. I learned as I went and really appreciate your help. 8)