Author Topic: ThinkPoint? (Read 19293 times)

BigMac100 · « **Reply #15 on:** December 06, 2010, 05:21:35 PM »

Nor will it allow me to type the code, copy/paste or CTRL+V

SuperDave · « **Reply #16 on:** December 06, 2010, 07:27:05 PM »

Please just skip that one and go on with the next one. We'll return to it later.

BigMac100 · « **Reply #17 on:** December 09, 2010, 02:18:00 PM »

Dave, I continue to have a hard time completing the second set of instructions. As you know, I am unable to remove windows messenger, can not complete Jotti's malware scan and when I try to remove ASK, I get a pop up window that says:

RunDLL
Error loading c:\PROGRA~1\AskBar\bar\l.bin\AskSBar.dll
The specified could not be found

I continued to Security Check by screen 317 and the results are below.

Thanks

BigMac100 · « **Reply #18 on:** December 09, 2010, 02:18:43 PM »

Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 16
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

BigMac100 · « **Reply #19 on:** December 09, 2010, 02:37:41 PM »

All processes killed
========== OTL ==========
========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Error: Unable to interpret <[clearrestorepoints]> in the current context!

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 311296 bytes
->Temporary Internet Files folder emptied: 4949587 bytes
->Flash cache emptied: 3270 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 102313967 bytes
->Java cache emptied: 1100115 bytes
->Flash cache emptied: 72568 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 538987481 bytes
->Java cache emptied: 25082 bytes
->Flash cache emptied: 20987 bytes

User: Owner
->Temp folder emptied: 5210353 bytes
->Temporary Internet Files folder emptied: 45875376 bytes
->Java cache emptied: 9042236 bytes
->Google Chrome cache emptied: 819568 bytes
->Flash cache emptied: 2002126 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1126364 bytes
%systemroot%\System32 .tmp files removed: 7103 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 37926273 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 64700720 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34767 bytes
RecycleBin emptied: 5795726 bytes

Total Files Cleaned = 782.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 12092010_162522

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5
\WPGNQVQN\main_6;sz=300x250;kl=N;!c=6;k2=617;k2=592;klg=en;kvid=X2M1KNbF2sU;kpu=SouljaBoy;
kr=F;khd=0;kt=K;ko=c;kpid=6;afc=1;kga=-1;kp=1;u=X2M1KNbF2sU_6;kgg=-1;kcr=us;custp=bpqhOEGlI-[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\WPGNQVQN\
music_rockpop;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=kiss+me+through+the+phone;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=254769617428592[2].37 not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\072XKNW3\activity;src=1318077;met=1;v=1;pid=18708550;aid=211740135;ko=0;cid=30287582;rid=30305459;rv=1;&timestamp=
1234557888043;eid1=2;ecn1=1;etm1=5;eid2=40181;ecn2=1;etm2=0;[1].gif not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\072XKNW3\main
_6;sz=300x250;kl=N;!c=6;k2=617;k2=35;kbz=1;klg=en;kvid=QhwQay4QiOw;kpu=universalmusicgroup;kr=F;khd=0;kt=K;
ko=p;kpid=6;afc=1;kga=-1;k1=hip%20hop;kp=1;u=QhwQay4QiOw_6;kg[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF551E.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF58BD.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF60AB.tmp not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PINY6JD0\topic,113160.0[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

BigMac100 · « **Reply #20 on:** December 09, 2010, 02:57:13 PM »

Dave, I was able to complete some of the instructions as you can see. However, the last instruction, CMD.
After entering cd desktop, I get this error when entering mbr.exe -f:

'mbr.exe" is not recognized as an internal or external command, operable program or batch file

Please let me know the next steps.

Thank You!

SuperDave · « **Reply #21 on:** December 09, 2010, 04:40:09 PM »

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*****************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
**************************************************
Delete An Uninstall Entry

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove.
Ask Toolbar

•Click Delete this entry
*********************************************
This next tool I want you to use will not run with AVG Anti-Virus. If this is what you're using for you AV program you will have to uninstall it. First, download a free AV program from the list below and install it. Then, run the AVG removal tool provide below. Next, run the ComboFix scan and post the log.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
*******************************************
AVG Antivirus - AVG Antivirus Remover utility

**********************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

BigMac100 · « **Reply #22 on:** December 09, 2010, 06:13:24 PM »

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Oct 26 18:01:06 2009

Found and removed: C:\Program Files\Java\jre1.5.0_01

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: C:\Documents and Settings\Owner\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150010}

Found and removed: C:\Windows\System32\jupdate-1.5.0_01-b08.log

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_01\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

------------------------------------

Finished reporting.

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Oct 26 18:02:15 2009

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Dec 09 20:05:36 2010

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_16

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Dec 09 20:06:26 2010

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Dec 09 20:07:42 2010

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Dec 09 20:11:26 2010

------------------------------------

Finished reporting.

SuperDave · « **Reply #23 on:** December 10, 2010, 01:29:33 PM »

Were you able to download and run the ComboFix scan?

BigMac100 · « **Reply #24 on:** December 11, 2010, 07:34:12 PM »

Dave, sorry It's taken so long to get the results of your instructions. I have to re-boot/shut down about every other time I try to do something. Here are the results of ComboFix. I did not get AVG Antivirus removed

BigMac100 · « **Reply #25 on:** December 11, 2010, 07:35:00 PM »

ComboFix 10-12-11.03 - Owner 12/11/2010 21:11:11.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.53 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\completescan
c:\documents and settings\Owner\Application Data\install
c:\documents and settings\Owner\Application Data\Xiurz
c:\documents and settings\Owner\Application Data\Ysez
c:\documents and settings\Owner\Application Data\Ysez\zavi.vif
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\install.rdf
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\0066FA0F
c:\program files\Need2Find\bar\Cache\00673A73
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\program files\Shared
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\tmp.reg
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-12 01:52 . 2010-12-12 01:52   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-11 00:01 . 2010-09-07 15:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 00:01 . 2010-09-07 15:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-12-11 00:01 . 2010-09-07 15:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-12-11 00:01 . 2010-09-07 15:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-12-11 00:01 . 2010-09-07 15:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-12-11 00:01 . 2010-09-07 15:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-12-11 00:01 . 2010-09-07 15:46   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-12-11 00:00 . 2010-09-07 16:12   38848   ----a-w-   c:\windows\avastSS.scr
2010-12-11 00:00 . 2010-09-07 16:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
2010-12-10 23:17 . 2010-12-10 23:17   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-10 23:05 . 2010-12-10 23:05   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\program files\McAfee Security Scan
2010-12-10 00:34 . 2010-12-10 00:34   --------   d-----w-   c:\program files\Common Files\Java
2010-12-10 00:33 . 2010-09-15 09:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-09 21:25 . 2010-12-09 21:25   --------   d-----w-   C:\_OTL
2010-12-02 23:05 . 2010-12-02 23:05   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-11-30 23:50 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Qerie
2010-11-30 23:50 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owuvw
2010-11-30 21:09 . 2010-11-30 21:09   230   ----a-w-   C:\agtyjkj.bat
2010-11-27 19:19 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owovy
2010-11-27 19:19 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Edgubo
2010-11-25 22:50 . 2010-11-25 22:50   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-25 21:06 . 2010-12-10 23:47   --------   d-----w-   c:\windows\system32\drivers\AVG
2010-11-25 02:56 . 2001-08-17 18:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2010-11-25 02:56 . 2001-08-17 18:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2010-11-25 01:45 . 2010-11-25 01:45   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-11-24 23:59 . 2010-11-24 23:59   --------   d-----w-   c:\program files\Loaris
2010-11-24 21:48 . 2010-11-24 21:48   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-11-24 15:37 . 2010-11-24 15:38   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-24 12:17 . 2010-11-24 12:17   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-11-23 23:19 . 2010-11-23 23:19   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-11-08 22:11   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-11-08 22:11   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-15 07:29 . 2009-10-26 21:50   73728   ----a-w-   c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 28160]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-2 532480]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/10/2010 7:01 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2010 7:01 PM 17744]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [2/28/2008 5:57 PM 18944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 9:41 AM 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 7:02 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/8/2010 5:11 PM 38224]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder

2010-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{15BE7D63-A464-42B5-B135-F874DC36DC73}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.columbus.rr.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Show All Original Images - c:\program files\NetZero\qsacc\appres.dll/228
IE: Show Original Image - c:\program files\NetZero\qsacc\appres.dll/227
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Webroot Desktop Firewall - c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
AddRemove-CS - c:\program files\CS\cs.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 21:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-11 21:29:22
ComboFix-quarantined-files.txt 2010-12-12 02:29
ComboFix2.txt 2007-08-04 00:14

Pre-Run: 53,781,041,152 bytes free
Post-Run: 54,003,970,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 0265D77BE2C3088F354422474419C642

BigMac100 · « **Reply #26 on:** December 11, 2010, 07:38:39 PM »

Please let me know what to do next. Thanks

SuperDave · « **Reply #27 on:** December 12, 2010, 01:30:49 PM »

P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*******************************************
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
C:\agtyjkj.bat
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

**********************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to.

Open the text file and copy/paste the log here.
[/list].

BigMac100 · « **Reply #28 on:** December 12, 2010, 03:36:22 PM »

ComboFix 10-12-11.06 - Owner 12/12/2010 17:01:30.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.110 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
"C:\agtyjkj.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\agtyjkj.bat

.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-12 01:52 . 2010-12-12 01:52   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-11 00:01 . 2010-09-07 15:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 00:01 . 2010-09-07 15:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-12-11 00:01 . 2010-09-07 15:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-12-11 00:01 . 2010-09-07 15:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-12-11 00:01 . 2010-09-07 15:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-12-11 00:01 . 2010-09-07 15:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-12-11 00:01 . 2010-09-07 15:46   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-12-11 00:00 . 2010-09-07 16:12   38848   ----a-w-   c:\windows\avastSS.scr
2010-12-11 00:00 . 2010-09-07 16:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
2010-12-10 23:17 . 2010-12-10 23:17   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-10 23:05 . 2010-12-10 23:05   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\program files\McAfee Security Scan
2010-12-10 00:34 . 2010-12-10 00:34   --------   d-----w-   c:\program files\Common Files\Java
2010-12-10 00:33 . 2010-09-15 09:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-09 21:25 . 2010-12-09 21:25   --------   d-----w-   C:\_OTL
2010-12-02 23:05 . 2010-12-02 23:05   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-11-30 23:50 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Qerie
2010-11-30 23:50 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owuvw
2010-11-27 19:19 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owovy
2010-11-27 19:19 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Edgubo
2010-11-25 22:50 . 2010-11-25 22:50   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-25 21:06 . 2010-12-10 23:47   --------   d-----w-   c:\windows\system32\drivers\AVG
2010-11-25 02:56 . 2001-08-17 18:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2010-11-25 02:56 . 2001-08-17 18:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2010-11-25 01:45 . 2010-11-25 01:45   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-11-24 23:59 . 2010-11-24 23:59   --------   d-----w-   c:\program files\Loaris
2010-11-24 21:48 . 2010-11-24 21:48   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-11-24 15:37 . 2010-11-24 15:38   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-24 12:17 . 2010-11-24 12:17   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-11-23 23:19 . 2010-11-23 23:19   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-11-08 22:11   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-11-08 22:11   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-15 07:29 . 2009-10-26 21:50   73728   ----a-w-   c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 28160]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-2 532480]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/10/2010 7:01 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2010 7:01 PM 17744]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/8/2010 5:11 PM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{15BE7D63-A464-42B5-B135-F874DC36DC73}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.columbus.rr.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Show All Original Images - c:\program files\NetZero\qsacc\appres.dll/228
IE: Show Original Image - c:\program files\NetZero\qsacc\appres.dll/227
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 17:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3184)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kodak\printer\center\KodakSvc.exe
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\System32\wdfmgr.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-12 17:31:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-12 22:31
ComboFix2.txt 2010-12-12 02:29
ComboFix3.txt 2007-08-04 00:14

Pre-Run: 54,277,595,136 bytes free
Post-Run: 54,260,031,488 bytes free

- - End Of File - - D6197011BB80546B85EE9F74A0B98483

BigMac100 · « **Reply #29 on:** December 12, 2010, 03:47:07 PM »

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F04CA000
Module End: F04E2000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F97A6000
Module End: F97A8000
Hidden: Yes

Module Name: \??\C:\commy\catchme.sys
Service Name: catchme
Module Base: F9542000
Module End: F954A000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F97FC000
Module End: F97FE000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F0684CF0
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreateKey
Address: F0684BAC
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteKey
Address: F0685160
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: F068508A
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: F0684782
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenKey
Address: F0684C86
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: F06846C2
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: F0684726
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: F0684DA6
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRenameKey
Address: F068522E
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: F0684D66
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetValueKey
Address: F0684EE6
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\QooBox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\QooBox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\QooBox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\QooBox\BackEnv\VikPev00
Status: Access denied

Computer Hope Forum

News:

Author Topic: ThinkPoint? (Read 19293 times)

BigMac100

Re: ThinkPoint?

SuperDave

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

SuperDave

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

SuperDave

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

SuperDave

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?

BigMac100

Re: ThinkPoint?