Computer acting extremely strange

[evilfantasy]

Restart manually.

The log will be saved in C:\combofix.txt

[20Deep]

ComboFix 08-09-27.01 - Ben 2008-09-27 23:26:45.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.661 [GMT -4:00]
Running from: E:\Documents and Settings\Ben\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Ben\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2008-08-28 to 2008-09-28  )))))))))))))))))))))))))))))))
.

2008-09-27 21:31 . 2008-09-27 21:31   <DIR>   d--h-----   E:\$AVG8.VAULT$
2008-09-27 10:31 . 2008-09-27 10:32   <DIR>   d--------   E:\WINDOWS\ERUNT
2008-09-27 10:24 . 2008-09-27 10:51   <DIR>   d--------   E:\SDFix
2008-09-27 01:15 . 2008-09-27 01:16   <DIR>   d--------   E:\rsit
2008-09-27 00:27 . 2008-09-27 00:27   <DIR>   d--------   E:\Program Files\SUPERAntiSpyware
2008-09-27 00:27 . 2008-09-27 00:27   <DIR>   d--------   E:\Documents and Settings\Ben\Application Data\SUPERAntiSpyware.com
2008-09-27 00:27 . 2008-09-27 00:27   <DIR>   d--------   E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-27 00:21 . 2008-09-27 21:35   <DIR>   d--------   E:\WINDOWS\system32\drivers\Avg
2008-09-27 00:21 . 2008-09-27 00:21   <DIR>   d--------   E:\Program Files\AVG
2008-09-27 00:21 . 2008-09-27 00:24   <DIR>   d--------   E:\Documents and Settings\All Users\Application Data\avg8
2008-09-27 00:21 . 2008-09-27 00:21   97,928   --a------   E:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-27 00:21 . 2008-09-27 00:21   76,040   --a------   E:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-27 00:21 . 2008-09-27 00:21   10,520   --a------   E:\WINDOWS\system32\avgrsstx.dll
2008-09-27 00:06 . 2008-06-10 02:32   73,728   --a------   E:\WINDOWS\system32\javacpl.cpl
2008-09-26 23:58 . 2008-09-26 23:58   <DIR>   d--------   E:\Program Files\CCleaner
2008-09-26 21:37 . 2008-09-26 21:37   <DIR>   d--------   E:\Documents and Settings\NetworkService\Application Data\Webroot
2008-09-26 18:43 . 2008-09-26 21:39   3,182   --a------   E:\WINDOWS\system32\tmp.reg
2008-09-26 17:11 . 2008-09-27 00:26   <DIR>   d--------   E:\Program Files\Common Files\Wise Installation Wizard
2008-09-26 17:11 . 2008-09-26 17:12   <DIR>   d--------   E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-26 16:21 . 2008-09-26 21:34   <DIR>   d--------   E:\Documents and Settings\Ben\Application Data\.purple
2008-09-26 16:20 . 2008-09-26 16:21   <DIR>   d--------   E:\Program Files\Pidgin
2008-09-26 16:20 . 2008-09-26 16:21   <DIR>   d--------   E:\Program Files\Aspell
2008-09-26 15:37 . 2008-09-26 15:37   <DIR>   d--------   E:\Program Files\XP Codec Pack
2008-09-26 15:37 . 2008-07-09 04:05   421,888   --a------   E:\WINDOWS\system32\ac3filter.acm
2008-09-13 09:47 . 2008-09-26 13:53   <DIR>   d--------   E:\Program Files\Veetle
2008-09-13 09:47 . 2008-09-13 09:47   48,396   --a------   E:\WINDOWS\UninstVeetleTVPlayer.exe
2008-08-28 10:02 . 2008-08-28 10:02   <DIR>   d--------   E:\WINDOWS\system32\CatRoot_bak

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 14:23   ---------   d-----w   E:\Documents and Settings\Ben\Application Data\U3
2008-09-27 05:13   ---------   d-----w   E:\Program Files\Trend Micro
2008-09-27 04:08   ---------   d-----w   E:\Program Files\Java
2008-09-27 03:30   ---------   d-----w   E:\Program Files\Mozilla Thunderbird
2008-09-27 02:01   ---------   d-----w   E:\Program Files\Roxio
2008-09-27 02:01   ---------   d-----w   E:\Program Files\Common Files\Roxio Shared
2008-09-27 02:01   ---------   d-----w   E:\Documents and Settings\All Users\Application Data\Roxio
2008-09-26 21:12   ---------   d-----w   E:\Program Files\Lavasoft
2008-09-26 21:12   ---------   d-----w   E:\Documents and Settings\Ben\Application Data\Lavasoft
2008-09-26 20:55   ---------   d-----w   E:\Program Files\FlashFXP
2008-09-26 20:21   ---------   d-----w   E:\Documents and Settings\Ben\Application Data\.gaim
2008-09-26 20:20   ---------   d-----w   E:\Program Files\Gaim
2008-09-26 18:07   ---------   d-----w   E:\Program Files\7-Zip
2008-09-26 17:57   ---------   d-----w   E:\Program Files\skiStunt
2008-09-26 17:52   ---------   d-----w   E:\Program Files\Quake III Arena
2008-09-26 17:52   ---------   d-----w   E:\Program Files\MegaSpoof
2008-09-26 17:51   ---------   d-----w   E:\Program Files\Project64 1.6
2008-09-26 17:50   ---------   d-----w   E:\Program Files\PokerOffice
2008-09-26 17:43   ---------   d--h--w   E:\Program Files\InstallShield Installation Information
2008-09-26 17:43   ---------   d-----w   E:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-26 17:40   ---------   d-----w   E:\Documents and Settings\All Users\Application Data\Laconic Software
2008-09-26 17:39   ---------   d-----w   E:\Program Files\DivX
2008-09-26 17:15   ---------   d-----w   E:\Program Files\Azureus
2008-09-26 17:14   ---------   d-----w   E:\Program Files\Acoustica Beatcraft
2008-09-16 17:19   ---------   d-----w   E:\Documents and Settings\Ben\Application Data\Azureus
2008-08-17 03:58   ---------   d-----w   E:\Documents and Settings\All Users\Application Data\Comcast
2007-03-23 19:05   3,580   ----a-w   E:\Program Files\INSTALL.LOG
2005-07-31 17:28   76   ---ha-w   E:\Program Files\Desktop.ini
2004-10-01 19:31   109   ----a-w   E:\Documents and Settings\Ben\Application Data\tvmcwrd.dll
2004-09-27 22:01   0   ----a-w   E:\Documents and Settings\Ben\Application Data\wklnhst.dat
2001-09-28 21:00   164,864   ----a-w   E:\Program Files\UNWISE.EXE
.

(((((((((((((((((((((((((((((   snapshot@2008-09-27_21.50.07.17   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-28 01:46:28   218,472   ----a-w   E:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-28 03:31:12   218,472   ----a-w   E:\WINDOWS\system32\inetsrv\MetaBase.bin
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"STYLEXP"="E:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-03-14 1159168]
"MSMSGS"="E:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="E:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="E:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"zBrowser Launcher"="E:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"RegistryMechanic"="E:\Program Files\Registry Mechanic\RegMech.exe" [2004-07-05 1183744]
"UpdReg"="E:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ATIPTA"="E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"SpySweeper"="E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2006-01-25 3405312]
"ddoctorv2"="E:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="E:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-27 1235736]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 E:\WINDOWS\LOGI_MWX.EXE]
"P17Helper"="P17.dll" [2005-05-02 E:\WINDOWS\system32\P17.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="E:\\Program Files\\TGTSoft\\StyleXP\\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=E:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^Ben^Start Menu^Programs^Startup^Konfabulator.lnk]
path=E:\Documents and Settings\Ben\Start Menu\Programs\Startup\Konfabulator.lnk
backup=E:\WINDOWS\pss\Konfabulator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 01:42 401491 E:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 E:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 E:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"E:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"E:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"E:\\Program Files\\FlashFXP\\flashfxp.exe"=
"E:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"E:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"E:\\Program Files\\TVAnts\\Tvants.exe"=
"E:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"E:\\Program Files\\SopCast\\SopCast.exe"=
"E:\\Documents and Settings\\Ben\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"E:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:41952

R0 SSI;SSI;E:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 78336]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;E:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-27 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;E:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-27 875288]
R2 avg8wd;AVG Free8 WatchDog;E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-27 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;E:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-27 76040]
S3 ASUSHWIO;ASUSHWIO;E:\WINDOWS\system32\drivers\ASUSHWIO.sys [ ]
S3 LCcfltr;Logitech USB Filter Driver;E:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-12-11 14092]
S3 pohci13F;pohci13F;E:\DOCUME~1\Ben\LOCALS~1\Temp\pohci13F.sys [ ]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 23:31:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


E:\WINDOWS\TEMP\8273c39e-1d1f-4926-ad2e-daff87b9b72e.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\WINDOWS\system32\ati2evxx.exe
E:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\Executive Software\Diskeeper\DkService.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\Program Files\AVG\AVG8\avgrsx.exe
E:\WINDOWS\system32\ati2evxx.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2008-09-27 23:37:37 - machine was rebooted
ComboFix-quarantined-files.txt  2008-09-28 03:37:29
ComboFix2.txt  2008-09-28 01:51:39

Pre-Run: 72,553,689,088 bytes free
Post-Run: 72,538,308,608 bytes free

191   --- E O F ---   2008-09-11 08:00:56

[evilfantasy]

Looks good. Is the computer running any better?

Some cleanup and then a (hopefully) final scan to make sure nothing else is hiding.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
Important: Restart the computer before continuing.

----------

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

[20Deep]

Yea it seems to be working much better. I haven't gone through the final step from your last post yet but will here shortly.

AVG has popped up a couple times saying that there is a threat detected in E:\System Volume Information\_restore...etc.

Is this just trojan files that are present in the restore files I assume?

[20Deep]

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3478 (20080928)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=61ea1c437661b948b4fdb06f9b362522
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-28 03:01:37
# local_time=2008-09-28 11:01:37 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=318220
# found=0
# scan_time=2600

[evilfantasy]

AVG has popped up a couple times saying that there is a threat detected in E:\System Volume Information\_restore...etc.

Is this just trojan files that are present in the restore files I assume?

Yes and we will take care of that now in the final steps.

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[20Deep]

Awesome.

I can't explain how much help you have been. 

[evilfantasy]

Glad it worked out for the good!!