Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Double the fun!  (Read 8626 times)

0 Members and 1 Guest are viewing this topic.

GrimAbbott

    Topic Starter


    Rookie

    • Experience: Beginner
    • OS: Windows 7
    Double the fun!
    « on: June 26, 2009, 11:49:09 PM »
    Looks like I'll get to spend some time on this forum, I've got two home PC's that have both turned into semi-paperweights due to spy or malware that came as a result of an expired Panda Internet Security 2008 subscription. Here's the first one.

    Step 1: Malware applications
    I'm seeing the following that are on the list: iMesh, Viewpoint Media Player. I'm also seeing two suspects: Last.fm.1.5.4.24567 and XplDbClientPatch.

    Step 2: House Cleaning
    I pulled down CCleaner 2.21.940 slim and have followed the directions.

    Step 3: SUPERAntiSpyware
    System would not allow software to download. Tried copying from flash drive, application does not run.

    Step 4: Malwarebytes' Anti-Malware
    System would not allow software to download. Installed from flash drive but application does not run.

    Step 5: Update Your Java
    Ran JavaRa and updated to JRE 6.14

    Step 6: HijackThis
    Completed

    LOGS: Only HijackThis log is available since SAS and MBAM would not run.
    My HijackThis report

    [attachment deleted by admin]
    « Last Edit: June 27, 2009, 12:09:37 AM by GrimAbbott »

    Karnac



      Specialist

      Thanked: 211
      Re: Double the fun!
      « Reply #1 on: June 27, 2009, 12:07:55 AM »
      Try running Steps 3 and 4 in safe mode...you may have to rename them....


      Never argue with a stupid person, they'll drag you down to their level and beat you with experience.

      GrimAbbott

        Topic Starter


        Rookie

        • Experience: Beginner
        • OS: Windows 7
        Re: Double the fun!
        « Reply #2 on: June 27, 2009, 01:31:56 AM »
        OK, got the MBAM to run (report attached) in Safe Mode but the SAS still will not run, even when the .exe is renamed to ComputerHope.exe! Uninstalled and reinstalled SAS, still no luck.

        [attachment deleted by admin]

        Karnac



          Specialist

          Thanked: 211
          Re: Double the fun!
          « Reply #3 on: June 27, 2009, 08:42:11 AM »
          Ok, all these infections indicate no action taken...you will have to remove and quarantine them when asked.


          Never argue with a stupid person, they'll drag you down to their level and beat you with experience.

          GrimAbbott

            Topic Starter


            Rookie

            • Experience: Beginner
            • OS: Windows 7
            Re: Double the fun!
            « Reply #4 on: June 27, 2009, 01:20:33 PM »
            The successful MBAM scan/cleaning allowed SAS to run; log attached. Further suggestions?

            [attachment deleted by admin]

            Karnac



              Specialist

              Thanked: 211
              Re: Double the fun!
              « Reply #5 on: June 27, 2009, 01:28:45 PM »
              While you wait for a specialist to review the logs you can try self help and use the process tool here...

              http://www.computerhope.com/forum/index.php/topic,81761.msg540346.html#msg540346


              Never argue with a stupid person, they'll drag you down to their level and beat you with experience.

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 493
              • Experience: Experienced
              • OS: Windows 11
              Re: Double the fun!
              « Reply #6 on: June 27, 2009, 01:29:11 PM »
              Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

              Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

              * XP users Double click on dds to run it.
              * If your antivirus or firewall try to block DDS then please allow it to run.
              * When finished DDS will open two (2) logs.

              1) DDS.txt
              2) Attach.txt

              * Save both logs to your desktop.
              * Please copy and paste the entire contents of both logs in your next reply.

              Note: DDS will instruct you to post the Attach.txt log as an attachment.
              Please just post it as you would any other log by copy and pasting it into the reply.

              Karnac



                Specialist

                Thanked: 211
                Re: Double the fun!
                « Reply #7 on: June 27, 2009, 01:30:48 PM »
                Nice to see you back.....evil


                Never argue with a stupid person, they'll drag you down to their level and beat you with experience.

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 493
                • Experience: Experienced
                • OS: Windows 11
                Re: Double the fun!
                « Reply #8 on: June 27, 2009, 01:31:59 PM »
                Shhh! I'm not back.... :P

                Karnac



                  Specialist

                  Thanked: 211
                  Re: Double the fun!
                  « Reply #9 on: June 27, 2009, 01:34:01 PM »
                  *censored*...sorry... :-X


                  Never argue with a stupid person, they'll drag you down to their level and beat you with experience.

                  GrimAbbott

                    Topic Starter


                    Rookie

                    • Experience: Beginner
                    • OS: Windows 7
                    Re: Double the fun!
                    « Reply #10 on: June 27, 2009, 04:16:25 PM »
                    As requested from DDS:

                    DDS (Ver_09-06-26.01) - NTFSx86 
                    Run by Dad at 15:19:42.03 on Sat 06/27/2009
                    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
                    Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1007.602 [GMT -7:00]

                    AV: AntiVir Desktop *On-access scanning enabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}

                    ============== Running Processes ===============

                    C:\WINDOWS\system32\svchost -k DcomLaunch
                    svchost.exe
                    C:\WINDOWS\System32\svchost.exe -k netsvcs
                    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
                    svchost.exe
                    svchost.exe
                    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                    C:\WINDOWS\system32\spoolsv.exe
                    C:\Program Files\Avira\AntiVir Desktop\sched.exe
                    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
                    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
                    C:\Program Files\Bonjour\mDNSResponder.exe
                    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
                    C:\Program Files\Java\jre6\bin\jqs.exe
                    C:\WINDOWS\system32\HPZipm12.exe
                    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
                    C:\WINDOWS\System32\svchost.exe -k imgsvc
                    C:\Program Files\Viewpoint\Common\ViewpointService.exe
                    C:\WINDOWS\System32\MsPMSPSv.exe
                    C:\WINDOWS\Explorer.EXE
                    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
                    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
                    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
                    C:\WINDOWS\system32\igfxpers.exe
                    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
                    C:\Program Files\Java\jre6\bin\jusched.exe
                    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
                    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
                    C:\Program Files\QuickTime\QTTask.exe
                    E:\Program Files\iTunes\iTunesHelper.exe
                    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
                    E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
                    C:\Program Files\iPod\bin\iPodService.exe
                    E:\Program Files\Mozilla Firefox\firefox.exe
                    C:\WINDOWS\system32\wuauclt.exe
                    C:\WINDOWS\system32\wuauclt.exe
                    C:\Documents and Settings\Dad\Desktop\dds.pif

                    ============== Pseudo HJT Report ===============

                    uStart Page = hxxp://www.gbcph.org/
                    uSearch Page = hxxp://www.google.com
                    uSearch Bar = hxxp://www.google.com/ie
                    uDefault_Search_URL = hxxp://www.google.com/ie
                    mDefault_Page_URL = hxxp://www.omnitechcorp.com
                    uInternet Settings,ProxyOverride = *.local
                    uSearchAssistant = hxxp://www.google.com/ie
                    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
                    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

                    files\adobe\acrobat\activex\AcroIEHelper.dll
                    BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
                    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

                    files\real\realplayer\rpbrowserrecordplugin.dll
                    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
                    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

                    files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
                    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
                    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

                    files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
                    TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
                    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
                    uRun: [Sony Ericsson PC Suite] "e:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
                    mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
                    mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
                    mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
                    mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
                    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
                    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
                    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
                    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
                    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
                    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
                    mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
                    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
                    mRun: [MBM 5] "c:\program files\motherboard monitor 5\MBM5.EXE"
                    mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
                    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
                    mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
                    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
                    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
                    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
                    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
                    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
                    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
                    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
                    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
                    DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.28.9/ttinst.cab
                    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
                    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
                    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
                    DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
                    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
                    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
                    Notify: igfxcui - igfxdev.dll
                    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
                    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

                    ================= FIREFOX ===================

                    FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\b9k9d87q.default\
                    FF - prefs.js: browser.startup.homepage - www.gbcph.org
                    FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
                    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
                    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
                    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
                    FF - plugin: e:\program files\adobe\reader 8.0\reader\browser\nppdf32.dll
                    FF - plugin: e:\program files\itunes\mozilla plugins\npitunes.dll
                    FF - plugin: e:\program files\mozilla firefox\plugins\npmusicn.dll
                    FF - plugin: e:\program files\mozilla firefox\plugins\npPandoWebInst.dll
                    FF - plugin: e:\program files\mozilla firefox\plugins\npViewpoint.dll
                    FF - plugin: e:\program files\netscape6\nppl3260.dll
                    FF - plugin: e:\program files\netscape6\nprjplug.dll
                    FF - plugin: e:\program files\netscape6\nprpjplug.dll
                    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla

                    firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
                    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla

                    firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
                    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla

                    firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
                    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla

                    firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
                    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla

                    firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

                    ============= SERVICES / DRIVERS ===============

                    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-26 11608]
                    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
                    R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-8-27 566616]
                    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-26 108289]
                    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-26 185089]
                    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-26 55640]
                    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-10

                    24652]
                    S1 Multicam;MultiCam for Picolo;c:\windows\system32\drivers\multicam.sys --> c:\windows\system32\drivers\multicam.sys [?]
                    S1 SASKUTIL;SASKUTIL;\??\e:\program files\superantispyware\saskutil.sys --> e:\program files\superantispyware\SASKUTIL.sys

                    [?]
                    S3 AtomSync;AtomSync;e:\program files\atomsync\service.exe [2008-9-23 159744]
                    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-20 13224]
                    S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
                    S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
                    S3 SASENUM;SASENUM;\??\e:\program files\superantispyware\sasenum.sys --> e:\program files\superantispyware\SASENUM.SYS [?]

                    =============== Created Last 30 ================

                    2009-06-27 14:03   <DIR>   --d-h---   c:\windows\PIF
                    2009-06-26 23:55   <DIR>   --d-----   c:\docume~1\dad\applic~1\Malwarebytes
                    2009-06-26 23:50   <DIR>   --d-----   c:\program files\SUPERAntiSpyware
                    2009-06-26 23:27   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
                    2009-06-26 23:20   <DIR>   --d-----   c:\docume~1\dad\applic~1\SUPERAntiSpyware.com
                    2009-06-26 22:46   <DIR>   --d-----   c:\program files\Trend Micro
                    2009-06-26 22:40   410,984   a-------   c:\windows\system32\deploytk.dll
                    2009-06-26 00:45   55,640   a-------   c:\windows\system32\drivers\avgntflt.sys
                    2009-06-26 00:44   <DIR>   --d-----   c:\program files\Avira
                    2009-06-26 00:44   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Avira
                    2009-06-26 00:36   38,160   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
                    2009-06-26 00:36   19,096   a-------   c:\windows\system32\drivers\mbam.sys
                    2009-06-26 00:36   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
                    2009-06-25 22:57   47   a----r--   c:\windows\amunres.lsl
                    2009-06-21 20:24   0   a-------   c:\windows\system32\commonpriv.log.lock
                    2009-06-21 20:22   <DIR>   --d-----   c:\program files\AVG
                    2009-06-21 20:22   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\avg8
                    2009-06-21 17:48   <DIR>   --d-----   c:\program files\iPod
                    2009-06-21 17:48   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
                    2009-06-21 17:46   <DIR>   --d-----   c:\program files\Bonjour

                    ==================== Find3M  ====================

                    2008-01-15 11:50   1,004   a--sh---   c:\windows\system32\KGyGaAvL.sys

                    ============= FINISH: 15:20:30.64 ===============


                    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
                    IF REQUESTED, ZIP IT UP & ATTACH IT

                    DDS (Ver_09-06-26.01)

                    Microsoft Windows XP Professional
                    Boot Device: \Device\HarddiskVolume1
                    Install Date: 11/21/2003 6:30:08 AM
                    System Uptime: 6/27/2009 12:30:37 PM (3 hours ago)

                    Motherboard: Intel Corporation               |  | D865GLC                       
                    Processor:                 Intel(R) Celeron(R) CPU 2.00GHz | J2E1 | 1994/100mhz

                    ==== Disk Partitions =========================

                    A: is Removable
                    C: is FIXED (NTFS) - 112 GiB total, 100.291 GiB free.
                    D: is CDROM ()
                    E: is FIXED (NTFS) - 112 GiB total, 110.138 GiB free.
                    Y: is NetworkDisk (NTFS) - 372 GiB total, 220.977 GiB free.
                    Z: is NetworkDisk (NTFS) - 372 GiB total, 220.977 GiB free.

                    ==== Disabled Device Manager Items =============

                    ==== System Restore Points ===================

                    RP771: 3/29/2009 5:45:41 PM - System Checkpoint
                    RP772: 4/4/2009 6:02:04 PM - System Checkpoint
                    RP773: 4/6/2009 10:51:30 AM - System Checkpoint
                    RP774: 4/8/2009 5:20:42 PM - System Checkpoint
                    RP775: 4/11/2009 5:40:09 PM - System Checkpoint
                    RP776: 4/13/2009 10:46:03 AM - System Checkpoint
                    RP777: 4/18/2009 2:45:05 PM - System Checkpoint
                    RP778: 4/21/2009 5:03:36 PM - System Checkpoint
                    RP779: 5/8/2009 12:27:10 PM - System Checkpoint
                    RP780: 5/8/2009 10:18:06 PM - Installed DirectX
                    RP781: 5/18/2009 6:23:01 PM - System Checkpoint
                    RP782: 5/21/2009 2:02:35 PM - System Checkpoint
                    RP783: 6/8/2009 5:47:54 PM - System Checkpoint
                    RP784: 6/21/2009 3:36:29 PM - System Checkpoint
                    RP785: 6/21/2009 5:47:36 PM - Installed iTunes
                    RP786: 6/21/2009 8:24:20 PM - Installed AVG Free 8.5
                    RP787: 6/25/2009 10:16:57 PM - Removed Panda Internet Security 2007
                    RP788: 6/25/2009 11:02:16 PM - Removed OpenOffice.org 2.2
                    RP789: 6/25/2009 11:25:49 PM - Installed AVG Free 8.5

                    ==== Installed Programs ======================

                    3D Virtual Reality Architect
                    Ad-Aware 2007
                    Adobe Flash Player 10 Plugin
                    Adobe Flash Player 9 ActiveX
                    Adobe Reader 8.1.4
                    Adobe Shockwave Player 11
                    AiO_Scan
                    Apple Mobile Device Support
                    Apple Software Update
                    AtomSync
                    Avira AntiVir Personal - Free Antivirus
                    Belkin 54g USB Network Adapter
                    Big Fish Games Client
                    Bonjour
                    CCleaner (remove only)
                    CutePDF Writer 2.7
                    Disc2Phone
                    Easy CD Creator 5 Basic
                    Freecorder Toolbar
                    Freecorder Toolbar 3.0 Application
                    Freecorder Toolbar 3.02 Application
                    GameShark SP
                    Google Talk (remove only)
                    Google Talk Plugin
                    Google Updater
                    HijackThis 2.0.2
                    HP Image Zone 4.7
                    HP PSC & OfficeJet 4.7
                    iMesh
                    Intel(R) Extreme Graphics 2 Driver
                    Intel(R) PRO Network Adapters and Drivers
                    iTunes
                    Java(TM) 6 Update 14
                    Juniper Networks Cache Cleaner 6.0.0
                    Juniper Networks Host Checker
                    Last.fm 1.5.4.24567
                    Logitech Gaming Software
                    Malwarebytes' Anti-Malware
                    Microsoft .NET Framework 2.0 Service Pack 1
                    Microsoft .NET Framework 3.0
                    Microsoft Compression Client Pack 1.0 for Windows XP
                    Microsoft Data Access Components KB870669
                    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
                    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
                    Microsoft Silverlight
                    Microsoft User-Mode Driver Framework Feature Pack 1.0
                    Microsoft Visual C++ 2005 Redistributable
                    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
                    Motherboard Monitor 5
                    Mozilla Firefox (3.0.11)
                    MSXML 4.0 SP2 (KB927978)
                    MSXML 4.0 SP2 (KB936181)
                    MSXML 4.0 SP2 (KB954430)
                    MSXML 6 Service Pack 2 (KB954459)
                    Pando Media Booster
                    QFolder
                    QuickTime
                    RealPlayer
                    Rhapsody Player Engine
                    Rosetta Stone 2.1.3.0A
                    Sansa Media Converter
                    Scan
                    Security Update for Windows XP (KB904706)
                    Security Update for Windows XP (KB923789)
                    Sibelius Scorch Plugin 5.2.5.30
                    SigmaTel MSCN Audio Player
                    Sony Ericsson PC Suite 4.010.00
                    SoundMAX
                    Spelling Dictionaries Support For Adobe Reader 8
                    SUPERAntiSpyware Free Edition
                    teenSMART®
                    TimeLeft
                    Unity Web Player
                    Update Service
                    URGE
                    Viewpoint Media Player
                    WebFldrs XP
                    Where in the World is Carmen Sandiego?
                    Windows Communication Foundation
                    Windows Genuine Advantage Notifications (KB905474)
                    Windows Genuine Advantage Validation Tool (KB892130)
                    Windows Imaging Component
                    Windows Media Format 11 runtime
                    Windows Media Player 11
                    Windows Presentation Foundation
                    Windows Workflow Foundation
                    Windows XP Service Pack 2
                    WordPerfect Office 12
                    XML Paper Specification Shared Components Pack 1.0
                    XplDbClientPatch

                    ==== Event Viewer Messages From Past Week ========

                    6/27/2009 12:32:20 AM, error: Service Control Manager [7026]  - The following boot-start or

                    system-start driver(s) failed to load:  SASKUTIL
                    6/27/2009 12:31:25 PM, error: sr [1]  - The System Restore filter encountered the unexpected

                    error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'.  It has

                    stopped monitoring the volume.
                    6/27/2009 11:05:26 AM, error: Service Control Manager [7000]  - The SASENUM service failed

                    to start due to the following error:  The system cannot find the path specified.
                    6/27/2009 11:05:22 AM, error: Service Control Manager [7000]  - The SASKUTIL service failed

                    to start due to the following error:  The system cannot find the path specified.
                    6/26/2009 12:38:58 AM, error: SideBySide [59]  - Resolve Partial Assembly failed for

                    Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on

                    your system. .
                    6/26/2009 12:38:58 AM, error: SideBySide [59]  - Generate Activation Context failed for

                    C:\DOCUME~1\Dad\LOCALS~1\Temp\RarSFX0\basic\setup.exe. Reference error message: The

                    operation completed successfully. .
                    6/26/2009 12:38:58 AM, error: SideBySide [32]  - Dependent Assembly Microsoft.VC90.CRT could

                    not be found and Last Error was The referenced assembly is not installed on your system.
                    6/26/2009 12:38:58 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the

                    service MSIServer with arguments "" in order to run the server:

                    {000C101C-0000-0000-C000-000000000046}
                    6/26/2009 12:35:35 AM, error: Service Control Manager [7026]  - The following boot-start or

                    system-start driver(s) failed to load:  cdudf_xp Fips intelppm mbmiodrvr sf
                    6/26/2009 12:34:59 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the

                    service StiSvc with arguments "" in order to run the server:

                    {A1F4E726-8CF1-11D1-BF92-0060081ED811}
                    6/26/2009 12:34:37 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the

                    service EventSystem with arguments "" in order to run the server:

                    {1BE1F766-5536-11D1-B726-00C04FB926AF}
                    6/26/2009 11:54:26 PM, error: Service Control Manager [7026]  - The following boot-start or

                    system-start driver(s) failed to load:  avgio avipbb cdudf_xp Fips intelppm mbmiodrvr

                    SASKUTIL sf ssmdrv
                    6/26/2009 11:40:54 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the

                    service wuauserv with arguments "" in order to run the server:

                    {E60687F7-01A1-40AA-86AC-DB1CBF673334}
                    6/26/2009 11:27:47 PM, error: Service Control Manager [7026]  - The following boot-start or

                    system-start driver(s) failed to load:  avgio avipbb cdudf_xp Fips intelppm mbmiodrvr sf

                    ssmdrv
                    6/21/2009 7:51:43 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds)

                    waiting for the Application Layer Gateway Service service to connect.
                    6/21/2009 7:51:43 PM, error: Service Control Manager [7000]  - The Application Layer Gateway

                    Service service failed to start due to the following error:  The service did not respond to

                    the start or control request in a timely fashion.
                    6/21/2009 7:51:12 PM, error: Service Control Manager [7022]  - The Panda anti-virus service

                    service hung on starting.
                    6/21/2009 7:48:39 PM, error: sr [1]  - The System Restore filter encountered the unexpected

                    error '0xC0000243' while processing the file 'NetPcap.cfg' on the volume 'HarddiskVolume1'. 

                    It has stopped monitoring the volume.

                    ==== End Of File ===========================

                    evilfantasy

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Calm like a bomb
                    • Thanked: 493
                    • Experience: Experienced
                    • OS: Windows 11
                    Re: Double the fun!
                    « Reply #11 on: June 27, 2009, 04:34:36 PM »
                    You have Viewpoint installed.

                    Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

                    More information:

                    .
                    It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

                    • Viewpoint
                    • Viewpoint Manager
                    • Viewpoint Media Player
                    • Viewpoint Toolbar
                    • Viewpoint Experience Technology
                    .
                    ----------

                    Go to Start > Run > type Notepad.exe and click OK to open Notepad.

                    In the top of Notepad go to Format and click Word Wrap then close Notepad.

                    ----------

                    Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

                    Link #1
                    Link #2

                    **Note:  It is important that it is saved directly to your Desktop

                    DO NOT run it yet!

                    Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

                    Delete these files/folders, as follows:

                    1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
                    It must be Notepad, not Wordpad.
                    2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

                    Code: [Select]
                    KillAll::

                    Driver::
                    Viewpoint Manager Service
                    PavSRK.sys
                    PavTPK.sys

                    DDS::
                    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
                    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
                    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

                    Firefox::
                    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

                    Folder::
                    c:\program files\viewpoint
                    c:\program files\AVG
                    c:\docume~1\alluse~1\applic~1\avg8

                    3. Go to the Notepad window and click Edit > Paste
                    4. Then click File > Save
                    5. Name the file CFScript.txt - Save the file to your Desktop
                    6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



                    ComboFix will begin to execute, just follow the prompts.
                    After reboot (in case it asks to reboot), it will produce a log for you.
                    Post that log (Combofix.txt) in your next reply.

                    Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

                    GrimAbbott

                      Topic Starter


                      Rookie

                      • Experience: Beginner
                      • OS: Windows 7
                      Re: Double the fun!
                      « Reply #12 on: June 27, 2009, 05:53:52 PM »
                      Quick check...CF got an error message: AntiVir Desktop is running. It requires me to kill that before continuing. I assume this is OK but await confirmation.

                      evilfantasy

                      • Malware Removal Specialist
                      • Moderator


                      • Genius
                      • Calm like a bomb
                      • Thanked: 493
                      • Experience: Experienced
                      • OS: Windows 11
                      Re: Double the fun!
                      « Reply #13 on: June 27, 2009, 06:45:38 PM »
                      Yes you can shut down Avira while running CF.

                      GrimAbbott

                        Topic Starter


                        Rookie

                        • Experience: Beginner
                        • OS: Windows 7
                        Re: Double the fun!
                        « Reply #14 on: June 27, 2009, 08:00:32 PM »
                        Thanks. Along the way, CFx prompted a download of MS Recovery Console which installed successfully. Here is the ComboFix log:

                        ComboFix 09-06-26.02 - Dad 06/27/2009 18:48.1 - NTFSx86
                        Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1007.696 [GMT -7:00]
                        Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
                        Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
                        AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
                        .

                        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                        .

                        c:\docume~1\alluse~1\applic~1\avg8
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgcfg.log.install_backup
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgcfg.log.lock
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgcore.log.1
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgcore.log.lock
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avglng.log.lock
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgsrm.log.lock
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgwd.log.install_backup
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgwd.log.lock
                        c:\docume~1\alluse~1\applic~1\avg8\Log\avgwdsvc.log.lock
                        c:\docume~1\alluse~1\applic~1\avg8\Log\commonpriv.log.lock
                        c:\documents and settings\Samuel.OAKTREE3\Application Data\WeatherDPA
                        c:\program files\AVG
                        c:\program files\AVG\AVG8\cfg\mail.cfg
                        c:\program files\AVG\AVG8\Emc\Log\emc.log
                        c:\program files\AVG\AVG8\log\history.xml
                        c:\program files\messenger\msmsgs.exe
                        c:\windows\system32\drivers\gxvxckrocqmjyidltpxtbimjcbiqmupvaqjgp.sys
                        c:\windows\system32\gxvxccounter
                        c:\windows\system32\gxvxcrqpaaxmkamxeyrvwwmfrfcjalcsbxrtq.dll

                        .
                        (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
                        .

                        -------\Service_GXVXCSERV.SYS
                        -------\Legacy_PAVSRK.SYS
                        -------\Legacy_PAVTPK.SYS
                        -------\Service_PavSRK.sys
                        -------\Service_PavTPK.sys


                        (((((((((((((((((((((((((   Files Created from 2009-05-28 to 2009-06-28  )))))))))))))))))))))))))))))))
                        .

                        2009-06-27 21:03 . 2009-06-27 21:03   --------   d--h--w-   c:\windows\PIF
                        2009-06-27 06:55 . 2009-06-27 06:55   --------   d-----w-   c:\documents and settings\Dad\Application Data\Malwarebytes
                        2009-06-27 06:50 . 2009-06-27 06:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
                        2009-06-27 06:27 . 2009-06-27 18:06   117760   ----a-w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
                        2009-06-27 06:27 . 2009-06-27 06:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
                        2009-06-27 06:20 . 2009-06-27 06:20   --------   d-----w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
                        2009-06-27 05:46 . 2009-06-27 05:46   --------   d-----w-   c:\program files\Trend Micro
                        2009-06-27 05:40 . 2009-06-27 05:39   410984   ----a-w-   c:\windows\system32\deploytk.dll
                        2009-06-26 07:45 . 2009-03-30 17:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
                        2009-06-26 07:45 . 2009-03-24 23:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
                        2009-06-26 07:45 . 2009-02-13 19:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
                        2009-06-26 07:45 . 2009-02-13 19:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
                        2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\program files\Avira
                        2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
                        2009-06-26 07:36 . 2009-06-17 18:27   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                        2009-06-26 07:36 . 2009-06-26 07:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
                        2009-06-26 07:36 . 2009-06-17 18:27   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
                        2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\program files\iPod
                        2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
                        2009-06-22 00:46 . 2009-06-22 00:46   --------   d-----w-   c:\program files\Bonjour
                        2009-06-22 00:45 . 2009-06-22 00:45   --------   d-----w-   c:\program files\QuickTime
                        2009-06-22 00:43 . 2009-06-22 00:43   --------   d-----w-   c:\program files\Apple Software Update
                        2009-06-21 22:50 . 2009-06-21 22:50   --------   d-----w-   c:\documents and settings\Dad\Local Settings\Application Data\AOL
                        2009-06-05 20:57 . 2009-06-05 20:57   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

                        .
                        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                        .
                        2009-06-27 23:55 . 2009-04-10 18:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
                        2009-06-27 06:49 . 2002-01-04 09:43   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
                        2009-06-27 05:39 . 2002-01-02 07:20   --------   d-----w-   c:\program files\Java
                        2009-06-27 04:41 . 2007-07-22 04:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
                        2009-06-26 06:04 . 2007-03-25 15:49   51936   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
                        2009-06-26 06:02 . 2002-01-02 07:21   --------   d-----w-   c:\program files\OpenOffice.org 2.2
                        2009-06-26 05:56 . 2003-07-31 11:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
                        2009-06-26 05:52 . 2002-01-02 08:35   --------   d-----w-   c:\documents and settings\Dad\Application Data\OpenOffice.org2
                        2009-06-26 05:52 . 2008-10-08 06:27   --------   d-----w-   c:\documents and settings\Dad\Application Data\stickies
                        2009-06-26 05:20 . 2002-01-04 09:37   --------   d-----w-   c:\program files\Common Files\Panda Software
                        2009-06-26 05:12 . 2008-11-25 19:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
                        2009-06-22 00:48 . 2008-09-15 04:37   --------   d-----w-   c:\program files\Common Files\Apple
                        2009-06-21 22:51 . 2009-04-10 18:24   --------   d-----w-   c:\program files\Common Files\AOL
                        2009-06-09 17:09 . 2007-09-17 05:02   --------   d-----w-   c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
                        2009-05-11 22:48 . 2009-05-11 22:20   34   ----a-w-   c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
                        2009-04-10 18:29 . 2009-04-10 18:29   1144808   ----a-w-   c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
                        2008-01-15 18:50 . 2007-10-21 07:10   1004   --sha-w-   c:\windows\system32\KGyGaAvL.sys
                        .

                        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                        .
                        .
                        *Note* empty entries & legit default entries are not shown
                        REGEDIT4

                        [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
                        2009-04-21 00:18   1883672   ----a-w-   c:\program files\Freecorder\tbFre1.dll

                        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                        "Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]

                        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                        "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
                        "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
                        "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
                        "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
                        "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
                        "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
                        "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
                        "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
                        "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
                        "AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
                        "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
                        "MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
                        "Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
                        "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
                        "iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
                        "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

                        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

                        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                        2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
                        @="Service"

                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
                        @="Driver"

                        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                        "%windir%\\system32\\sessmgr.exe"=
                        "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
                        "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
                        "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
                        "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
                        "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
                        "e:\\Program Files\\iTunes\\iTunes.exe"=
                        "e:\\Program Files\\Stickies\\stickies.exe"=

                        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                        "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
                        "57086:TCP"= 57086:TCP:Pando Media Booster
                        "57086:UDP"= 57086:UDP:Pando Media Booster

                        R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
                        R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
                        S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
                        S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
                        S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
                        S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
                        S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
                        .
                        Contents of the 'Scheduled Tasks' folder

                        2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
                        - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

                        2009-06-28 c:\windows\Tasks\Google Software Updater.job
                        - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]

                        2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
                        - c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
                        .
                        - - - - ORPHANS REMOVED - - - -

                        Notify-avgrsstarter - (no file)


                        .
                        ------- Supplementary Scan -------
                        .
                        uStart Page = hxxp://www.gbcph.org/
                        uDefault_Search_URL = hxxp://www.google.com/ie
                        uInternet Settings,ProxyOverride = *.local
                        uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
                        DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
                        DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
                        FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
                        FF - prefs.js: browser.startup.homepage - www.gbcph.org
                        FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
                        FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
                        FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
                        FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
                        FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
                        FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
                        FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
                        FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
                        FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
                        FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
                        FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
                        FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
                        .

                        **************************************************************************

                        catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                        Rootkit scan 2009-06-27 18:59
                        Windows 5.1.2600 Service Pack 2 NTFS

                        scanning hidden processes ... 

                        scanning hidden autostart entries ...

                        scanning hidden files ... 

                        scan completed successfully
                        hidden files: 0

                        **************************************************************************
                        .
                        --------------------- LOCKED REGISTRY KEYS ---------------------

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib]
                        @DACL=(02 0000)
                        @="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020420-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020420-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib]
                        @DACL=(02 0000)
                        @="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib]
                        @DACL=(02 0000)
                        @="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib]
                        @DACL=(02 0000)
                        @="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib]
                        @DACL=(02 0000)
                        @="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid32]
                        @DACL=(02 0000)
                        @="{00020424-0000-0000-C000-000000000046}"

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib]
                        @DACL=(02 0000)
                        @="{0729F461-8054-47DC-8D39-A31B61CC0119}"
                        "Version"="1.0"

                        [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0]
                        @DACL=(02 0000)
                        @="HbCoreSrv 1.0 Type Library"

                        [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0]
                        @DACL=(02 0000)
                        @="HbToolbar 1.0 Type Library"
                        .
                        --------------------- DLLs Loaded Under Running Processes ---------------------

                        - - - - - - - > 'winlogon.exe'(856)
                        c:\program files\SUPERAntiSpyware\SASWINLO.dll

                        - - - - - - - > 'explorer.exe'(3396)
                        c:\progra~1\WINDOW~2\wmpband.dll
                        c:\windows\system32\WPDShServiceObj.dll
                        c:\windows\system32\PortableDeviceTypes.dll
                        c:\windows\system32\PortableDeviceApi.dll
                        .
                        ------------------------ Other Running Processes ------------------------
                        .
                        c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
                        c:\program files\Avira\AntiVir Desktop\avguard.exe
                        c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                        c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
                        c:\program files\Bonjour\mDNSResponder.exe
                        c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
                        c:\program files\Java\jre6\bin\jqs.exe
                        c:\windows\system32\HPZipm12.exe
                        c:\program files\Analog Devices\SoundMAX\SMAgent.exe
                        c:\windows\system32\MsPMSPSv.exe
                        c:\program files\iPod\bin\iPodService.exe
                        c:\windows\system32\wscntfy.exe
                        .
                        **************************************************************************
                        .
                        Completion time: 2009-06-28 19:04 - machine was rebooted
                        ComboFix-quarantined-files.txt  2009-06-28 02:04

                        Pre-Run: 107,632,934,912 bytes free
                        Post-Run: 108,974,166,016 bytes free

                        WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
                        [boot loader]
                        timeout=2
                        default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
                        [operating systems]
                        c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
                        multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

                        358

                        evilfantasy

                        • Malware Removal Specialist
                        • Moderator


                        • Genius
                        • Calm like a bomb
                        • Thanked: 493
                        • Experience: Experienced
                        • OS: Windows 11
                        Re: Double the fun!
                        « Reply #15 on: June 27, 2009, 08:11:23 PM »


                        Delete these files/folders, as follows:

                        1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
                        It must be Notepad, not Wordpad.
                        2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

                        Code: [Select]
                        KillAll::

                        Registry::
                        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                        "3389:TCP"=-
                        "57086:TCP"=-
                        "57086:UDP"=-

                        RegLockDel::
                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid32]
                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid32]

                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib]

                        [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0]

                        [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0]


                        3. Go to the Notepad window and click Edit > Paste
                        4. Then click File > Save
                        5. Name the file CFScript.txt - Save the file to your Desktop
                        6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



                        ComboFix will begin to execute, just follow the prompts.
                        After reboot (in case it asks to reboot), it will produce a log for you.
                        Post that log (Combofix.txt) in your next reply.

                        Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

                        GrimAbbott

                          Topic Starter


                          Rookie

                          • Experience: Beginner
                          • OS: Windows 7
                          Re: Double the fun!
                          « Reply #16 on: June 27, 2009, 09:02:38 PM »
                          As requested:

                          ComboFix 09-06-26.02 - Dad 06/27/2009 19:56.2 - NTFSx86
                          Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1007.572 [GMT -7:00]
                          Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
                          Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
                          AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
                          .

                          (((((((((((((((((((((((((   Files Created from 2009-05-28 to 2009-06-28  )))))))))))))))))))))))))))))))
                          .

                          2009-06-28 02:02 . 2009-06-28 02:02   --------   d-----w-   c:\windows\system32\dllcache\cache
                          2009-06-27 21:03 . 2009-06-27 21:03   --------   d--h--w-   c:\windows\PIF
                          2009-06-27 06:55 . 2009-06-27 06:55   --------   d-----w-   c:\documents and settings\Dad\Application Data\Malwarebytes
                          2009-06-27 06:50 . 2009-06-27 06:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
                          2009-06-27 06:27 . 2009-06-27 18:06   117760   ----a-w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
                          2009-06-27 06:27 . 2009-06-27 06:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
                          2009-06-27 06:20 . 2009-06-27 06:20   --------   d-----w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
                          2009-06-27 05:46 . 2009-06-27 05:46   --------   d-----w-   c:\program files\Trend Micro
                          2009-06-27 05:40 . 2009-06-27 05:39   410984   ----a-w-   c:\windows\system32\deploytk.dll
                          2009-06-26 07:45 . 2009-03-30 17:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
                          2009-06-26 07:45 . 2009-03-24 23:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
                          2009-06-26 07:45 . 2009-02-13 19:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
                          2009-06-26 07:45 . 2009-02-13 19:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
                          2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\program files\Avira
                          2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
                          2009-06-26 07:36 . 2009-06-17 18:27   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                          2009-06-26 07:36 . 2009-06-26 07:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
                          2009-06-26 07:36 . 2009-06-17 18:27   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
                          2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\program files\iPod
                          2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
                          2009-06-22 00:46 . 2009-06-22 00:46   --------   d-----w-   c:\program files\Bonjour
                          2009-06-22 00:45 . 2009-06-22 00:45   --------   d-----w-   c:\program files\QuickTime
                          2009-06-22 00:43 . 2009-06-22 00:43   --------   d-----w-   c:\program files\Apple Software Update
                          2009-06-21 22:50 . 2009-06-21 22:50   --------   d-----w-   c:\documents and settings\Dad\Local Settings\Application Data\AOL
                          2009-06-05 20:57 . 2009-06-05 20:57   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

                          .
                          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                          .
                          2009-06-27 23:55 . 2009-04-10 18:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
                          2009-06-27 06:49 . 2002-01-04 09:43   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
                          2009-06-27 05:39 . 2002-01-02 07:20   --------   d-----w-   c:\program files\Java
                          2009-06-27 04:41 . 2007-07-22 04:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
                          2009-06-26 06:04 . 2007-03-25 15:49   51936   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
                          2009-06-26 06:02 . 2002-01-02 07:21   --------   d-----w-   c:\program files\OpenOffice.org 2.2
                          2009-06-26 05:56 . 2003-07-31 11:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
                          2009-06-26 05:52 . 2002-01-02 08:35   --------   d-----w-   c:\documents and settings\Dad\Application Data\OpenOffice.org2
                          2009-06-26 05:52 . 2008-10-08 06:27   --------   d-----w-   c:\documents and settings\Dad\Application Data\stickies
                          2009-06-26 05:20 . 2002-01-04 09:37   --------   d-----w-   c:\program files\Common Files\Panda Software
                          2009-06-26 05:12 . 2008-11-25 19:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
                          2009-06-22 00:48 . 2008-09-15 04:37   --------   d-----w-   c:\program files\Common Files\Apple
                          2009-06-21 22:51 . 2009-04-10 18:24   --------   d-----w-   c:\program files\Common Files\AOL
                          2009-06-09 17:09 . 2007-09-17 05:02   --------   d-----w-   c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
                          2009-05-11 22:48 . 2009-05-11 22:20   34   ----a-w-   c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
                          2009-04-10 18:29 . 2009-04-10 18:29   1144808   ----a-w-   c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
                          2008-01-15 18:50 . 2007-10-21 07:10   1004   --sha-w-   c:\windows\system32\KGyGaAvL.sys
                          .

                          (((((((((((((((((((((((((((((   SnapShot@2009-06-28_01.59.41   )))))))))))))))))))))))))))))))))))))))))
                          .
                          + 2009-06-28 03:02 . 2009-06-28 03:02   16384              c:\windows\temp\Perflib_Perfdata_294.dat
                          + 2009-06-28 02:02 . 2008-10-16 22:09   51224              c:\windows\system32\dllcache\cache\wuauclt.exe
                          + 2009-06-28 02:02 . 2004-08-04 07:56   82944              c:\windows\system32\dllcache\cache\ws2_32.dll
                          + 2009-06-28 02:02 . 2004-08-04 07:56   24576              c:\windows\system32\dllcache\cache\userinit.exe
                          + 2009-06-28 02:02 . 2004-08-04 07:56   14336              c:\windows\system32\dllcache\cache\svchost.exe
                          + 2009-06-28 02:02 . 2005-06-10 23:53   57856              c:\windows\system32\dllcache\cache\spoolsv.exe
                          + 2009-06-28 02:02 . 2004-08-04 07:56   17408              c:\windows\system32\dllcache\cache\powrprof.dll
                          + 2009-06-28 02:02 . 2004-08-04 07:56   13312              c:\windows\system32\dllcache\cache\lsass.exe
                          + 2009-06-28 02:02 . 2004-08-04 05:58   24576              c:\windows\system32\dllcache\cache\kbdclass.sys
                          + 2009-06-28 02:02 . 2004-08-04 06:00   29056              c:\windows\system32\dllcache\cache\ip6fw.sys
                          + 2009-06-28 02:02 . 2004-08-04 07:56   15360              c:\windows\system32\dllcache\cache\ctfmon.exe
                          + 2009-06-28 02:02 . 2004-08-04 07:56   502272              c:\windows\system32\dllcache\cache\winlogon.exe
                          + 2009-06-28 02:02 . 2008-10-16 10:37   659456              c:\windows\system32\dllcache\cache\wininet.dll
                          + 2009-06-28 02:02 . 2007-03-08 15:36   577536              c:\windows\system32\dllcache\cache\user32.dll
                          + 2009-06-28 02:02 . 2004-08-04 07:56   295424              c:\windows\system32\dllcache\cache\termsrv.dll
                          + 2009-06-28 02:02 . 2008-06-20 10:45   360320              c:\windows\system32\dllcache\cache\tcpip.sys
                          + 2009-06-28 02:02 . 2004-08-04 07:56   108032              c:\windows\system32\dllcache\cache\services.exe
                          + 2009-06-28 02:02 . 2004-08-04 06:14   182912              c:\windows\system32\dllcache\cache\ndis.sys
                          + 2009-06-28 02:02 . 2007-04-16 15:52   984576              c:\windows\system32\dllcache\cache\kernel32.dll
                          + 2009-06-28 02:02 . 2004-08-04 07:56   110080              c:\windows\system32\dllcache\cache\imm32.dll
                          + 2009-06-28 02:02 . 2004-08-04 07:56   167936              c:\windows\system32\dllcache\cache\appmgmts.dll
                          + 2009-06-28 02:02 . 2004-08-04 07:56   1580544              c:\windows\system32\dllcache\cache\sfcfiles.dll
                          + 2009-06-28 02:02 . 2008-08-14 09:58   2136064              c:\windows\system32\dllcache\cache\ntoskrnl.exe
                          + 2009-06-28 02:02 . 2008-08-14 09:22   2015744              c:\windows\system32\dllcache\cache\ntkrnlpa.exe
                          + 2009-06-28 02:02 . 2007-06-13 10:23   1033216              c:\windows\system32\dllcache\cache\explorer.exe
                          .
                          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                          .
                          .
                          *Note* empty entries & legit default entries are not shown
                          REGEDIT4

                          [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
                          2009-04-21 00:18   1883672   ----a-w-   c:\program files\Freecorder\tbFre1.dll

                          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                          "Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]

                          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                          "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
                          "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
                          "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
                          "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
                          "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
                          "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
                          "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
                          "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
                          "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
                          "AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
                          "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
                          "MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
                          "Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
                          "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
                          "iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
                          "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

                          [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                          "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

                          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                          2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

                          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
                          @="Service"

                          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
                          @="Driver"

                          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                          "%windir%\\system32\\sessmgr.exe"=
                          "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
                          "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
                          "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
                          "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
                          "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
                          "e:\\Program Files\\iTunes\\iTunes.exe"=
                          "e:\\Program Files\\Stickies\\stickies.exe"=

                          R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
                          R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
                          S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
                          S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
                          S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
                          S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
                          S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
                          .
                          Contents of the 'Scheduled Tasks' folder

                          2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
                          - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

                          2009-06-28 c:\windows\Tasks\Google Software Updater.job
                          - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]

                          2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
                          - c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
                          .
                          .
                          ------- Supplementary Scan -------
                          .
                          uStart Page = hxxp://www.gbcph.org/
                          uDefault_Search_URL = hxxp://www.google.com/ie
                          uInternet Settings,ProxyOverride = *.local
                          uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
                          DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
                          DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
                          FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
                          FF - prefs.js: browser.startup.homepage - www.gbcph.org
                          FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
                          FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
                          FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
                          FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
                          FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
                          FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
                          FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
                          FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
                          FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
                          FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
                          FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
                          FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
                          .

                          **************************************************************************

                          catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                          Rootkit scan 2009-06-27 20:03
                          Windows 5.1.2600 Service Pack 2 NTFS

                          scanning hidden processes ... 

                          scanning hidden autostart entries ...

                          scanning hidden files ... 

                          scan completed successfully
                          hidden files: 0

                          **************************************************************************
                          .
                          --------------------- LOCKED REGISTRY KEYS ---------------------

                          [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32]
                          @DACL=(02 0000)
                          @="c:\\Program Files\\Zango\\bin\\10.3.75.0\\CoreSrv.dll"

                          [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32]
                          @DACL=(02 0000)
                          @="c:\\Program Files\\Zango\\bin\\10.3.75.0\\Toolbar.dll"
                          .
                          --------------------- DLLs Loaded Under Running Processes ---------------------

                          - - - - - - - > 'winlogon.exe'(856)
                          c:\program files\SUPERAntiSpyware\SASWINLO.dll

                          - - - - - - - > 'explorer.exe'(1440)
                          c:\progra~1\WINDOW~2\wmpband.dll
                          c:\windows\system32\WPDShServiceObj.dll
                          c:\windows\system32\PortableDeviceTypes.dll
                          c:\windows\system32\PortableDeviceApi.dll
                          .
                          ------------------------ Other Running Processes ------------------------
                          .
                          c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
                          c:\program files\Avira\AntiVir Desktop\avguard.exe
                          c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                          c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
                          c:\program files\Bonjour\mDNSResponder.exe
                          c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
                          c:\program files\Java\jre6\bin\jqs.exe
                          c:\windows\system32\HPZipm12.exe
                          c:\program files\Analog Devices\SoundMAX\SMAgent.exe
                          c:\windows\system32\MsPMSPSv.exe
                          c:\program files\iPod\bin\iPodService.exe
                          .
                          **************************************************************************
                          .
                          Completion time: 2009-06-28 20:08 - machine was rebooted
                          ComboFix-quarantined-files.txt  2009-06-28 03:08
                          ComboFix2.txt  2009-06-28 02:04

                          Pre-Run: 108,959,559,680 bytes free
                          Post-Run: 108,944,457,728 bytes free

                          214

                          evilfantasy

                          • Malware Removal Specialist
                          • Moderator


                          • Genius
                          • Calm like a bomb
                          • Thanked: 493
                          • Experience: Experienced
                          • OS: Windows 11
                          Re: Double the fun!
                          « Reply #17 on: June 27, 2009, 10:47:20 PM »

                          Delete these files/folders, as follows:

                          1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
                          It must be Notepad, not Wordpad.
                          2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

                          Code: [Select]
                          KillAll::

                          Folder::
                          c:\Program Files\Zango

                          RegLockDel::
                          [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32]

                          [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32]

                          3. Go to the Notepad window and click Edit > Paste
                          4. Then click File > Save
                          5. Name the file CFScript.txt - Save the file to your Desktop
                          6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



                          ComboFix will begin to execute, just follow the prompts.
                          After reboot (in case it asks to reboot), it will produce a log for you.
                          Post that log (Combofix.txt) in your next reply.

                          Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

                          GrimAbbott

                            Topic Starter


                            Rookie

                            • Experience: Beginner
                            • OS: Windows 7
                            Re: Double the fun!
                            « Reply #18 on: June 27, 2009, 11:50:47 PM »
                            ComboFix 09-06-26.02 - Dad 06/27/2009 22:42.3 - NTFSx86
                            Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1007.579 [GMT -7:00]
                            Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
                            Command switches used :: c:\documents and settings\Dad\Desktop\cfscript.txt
                            AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
                            .

                            (((((((((((((((((((((((((   Files Created from 2009-05-28 to 2009-06-28  )))))))))))))))))))))))))))))))
                            .

                            2009-06-28 02:02 . 2009-06-28 02:02   --------   d-----w-   c:\windows\system32\dllcache\cache
                            2009-06-27 21:03 . 2009-06-27 21:03   --------   d--h--w-   c:\windows\PIF
                            2009-06-27 06:55 . 2009-06-27 06:55   --------   d-----w-   c:\documents and settings\Dad\Application Data\Malwarebytes
                            2009-06-27 06:50 . 2009-06-27 06:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
                            2009-06-27 06:27 . 2009-06-27 18:06   117760   ----a-w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
                            2009-06-27 06:27 . 2009-06-27 06:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
                            2009-06-27 06:20 . 2009-06-27 06:20   --------   d-----w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
                            2009-06-27 05:46 . 2009-06-27 05:46   --------   d-----w-   c:\program files\Trend Micro
                            2009-06-27 05:40 . 2009-06-27 05:39   410984   ----a-w-   c:\windows\system32\deploytk.dll
                            2009-06-26 07:45 . 2009-03-30 17:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
                            2009-06-26 07:45 . 2009-03-24 23:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
                            2009-06-26 07:45 . 2009-02-13 19:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
                            2009-06-26 07:45 . 2009-02-13 19:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
                            2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\program files\Avira
                            2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
                            2009-06-26 07:36 . 2009-06-17 18:27   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                            2009-06-26 07:36 . 2009-06-26 07:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
                            2009-06-26 07:36 . 2009-06-17 18:27   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
                            2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\program files\iPod
                            2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
                            2009-06-22 00:46 . 2009-06-22 00:46   --------   d-----w-   c:\program files\Bonjour
                            2009-06-22 00:45 . 2009-06-22 00:45   --------   d-----w-   c:\program files\QuickTime
                            2009-06-22 00:43 . 2009-06-22 00:43   --------   d-----w-   c:\program files\Apple Software Update
                            2009-06-21 22:50 . 2009-06-21 22:50   --------   d-----w-   c:\documents and settings\Dad\Local Settings\Application Data\AOL
                            2009-06-05 20:57 . 2009-06-05 20:57   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

                            .
                            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                            .
                            2009-06-27 23:55 . 2009-04-10 18:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
                            2009-06-27 06:49 . 2002-01-04 09:43   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
                            2009-06-27 05:39 . 2002-01-02 07:20   --------   d-----w-   c:\program files\Java
                            2009-06-27 04:41 . 2007-07-22 04:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
                            2009-06-26 06:04 . 2007-03-25 15:49   51936   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
                            2009-06-26 06:02 . 2002-01-02 07:21   --------   d-----w-   c:\program files\OpenOffice.org 2.2
                            2009-06-26 05:56 . 2003-07-31 11:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
                            2009-06-26 05:52 . 2002-01-02 08:35   --------   d-----w-   c:\documents and settings\Dad\Application Data\OpenOffice.org2
                            2009-06-26 05:52 . 2008-10-08 06:27   --------   d-----w-   c:\documents and settings\Dad\Application Data\stickies
                            2009-06-26 05:20 . 2002-01-04 09:37   --------   d-----w-   c:\program files\Common Files\Panda Software
                            2009-06-26 05:12 . 2008-11-25 19:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
                            2009-06-22 00:48 . 2008-09-15 04:37   --------   d-----w-   c:\program files\Common Files\Apple
                            2009-06-21 22:51 . 2009-04-10 18:24   --------   d-----w-   c:\program files\Common Files\AOL
                            2009-06-09 17:09 . 2007-09-17 05:02   --------   d-----w-   c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
                            2009-05-11 22:48 . 2009-05-11 22:20   34   ----a-w-   c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
                            2009-04-10 18:29 . 2009-04-10 18:29   1144808   ----a-w-   c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
                            2008-01-15 18:50 . 2007-10-21 07:10   1004   --sha-w-   c:\windows\system32\KGyGaAvL.sys
                            .

                            (((((((((((((((((((((((((((((   SnapShot@2009-06-28_01.59.41   )))))))))))))))))))))))))))))))))))))))))
                            .
                            + 2009-06-28 05:48 . 2009-06-28 05:48   16384              c:\windows\temp\Perflib_Perfdata_244.dat
                            + 2009-06-28 02:02 . 2008-10-16 22:09   51224              c:\windows\system32\dllcache\cache\wuauclt.exe
                            + 2009-06-28 02:02 . 2004-08-04 07:56   82944              c:\windows\system32\dllcache\cache\ws2_32.dll
                            + 2009-06-28 02:02 . 2004-08-04 07:56   24576              c:\windows\system32\dllcache\cache\userinit.exe
                            + 2009-06-28 02:02 . 2004-08-04 07:56   14336              c:\windows\system32\dllcache\cache\svchost.exe
                            + 2009-06-28 02:02 . 2005-06-10 23:53   57856              c:\windows\system32\dllcache\cache\spoolsv.exe
                            + 2009-06-28 02:02 . 2004-08-04 07:56   17408              c:\windows\system32\dllcache\cache\powrprof.dll
                            + 2009-06-28 02:02 . 2004-08-04 07:56   13312              c:\windows\system32\dllcache\cache\lsass.exe
                            + 2009-06-28 02:02 . 2004-08-04 05:58   24576              c:\windows\system32\dllcache\cache\kbdclass.sys
                            + 2009-06-28 02:02 . 2004-08-04 06:00   29056              c:\windows\system32\dllcache\cache\ip6fw.sys
                            + 2009-06-28 02:02 . 2004-08-04 07:56   15360              c:\windows\system32\dllcache\cache\ctfmon.exe
                            + 2009-06-28 02:02 . 2004-08-04 07:56   502272              c:\windows\system32\dllcache\cache\winlogon.exe
                            + 2009-06-28 02:02 . 2008-10-16 10:37   659456              c:\windows\system32\dllcache\cache\wininet.dll
                            + 2009-06-28 02:02 . 2007-03-08 15:36   577536              c:\windows\system32\dllcache\cache\user32.dll
                            + 2009-06-28 02:02 . 2004-08-04 07:56   295424              c:\windows\system32\dllcache\cache\termsrv.dll
                            + 2009-06-28 02:02 . 2008-06-20 10:45   360320              c:\windows\system32\dllcache\cache\tcpip.sys
                            + 2009-06-28 02:02 . 2004-08-04 07:56   108032              c:\windows\system32\dllcache\cache\services.exe
                            + 2009-06-28 02:02 . 2004-08-04 06:14   182912              c:\windows\system32\dllcache\cache\ndis.sys
                            + 2009-06-28 02:02 . 2007-04-16 15:52   984576              c:\windows\system32\dllcache\cache\kernel32.dll
                            + 2009-06-28 02:02 . 2004-08-04 07:56   110080              c:\windows\system32\dllcache\cache\imm32.dll
                            + 2009-06-28 02:02 . 2004-08-04 07:56   167936              c:\windows\system32\dllcache\cache\appmgmts.dll
                            + 2009-06-28 02:02 . 2004-08-04 07:56   1580544              c:\windows\system32\dllcache\cache\sfcfiles.dll
                            + 2009-06-28 02:02 . 2008-08-14 09:58   2136064              c:\windows\system32\dllcache\cache\ntoskrnl.exe
                            + 2009-06-28 02:02 . 2008-08-14 09:22   2015744              c:\windows\system32\dllcache\cache\ntkrnlpa.exe
                            + 2009-06-28 02:02 . 2007-06-13 10:23   1033216              c:\windows\system32\dllcache\cache\explorer.exe
                            .
                            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                            .
                            .
                            *Note* empty entries & legit default entries are not shown
                            REGEDIT4

                            [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
                            2009-04-21 00:18   1883672   ----a-w-   c:\program files\Freecorder\tbFre1.dll

                            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                            "Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]

                            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                            "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
                            "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
                            "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
                            "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
                            "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
                            "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
                            "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
                            "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
                            "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
                            "AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
                            "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
                            "MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
                            "Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
                            "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
                            "iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
                            "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

                            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

                            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                            2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

                            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
                            @="Service"

                            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
                            @="Driver"

                            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                            "%windir%\\system32\\sessmgr.exe"=
                            "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
                            "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
                            "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
                            "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
                            "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
                            "e:\\Program Files\\iTunes\\iTunes.exe"=
                            "e:\\Program Files\\Stickies\\stickies.exe"=

                            R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
                            R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
                            S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
                            S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
                            S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
                            S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
                            S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
                            .
                            Contents of the 'Scheduled Tasks' folder

                            2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
                            - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

                            2009-06-28 c:\windows\Tasks\Google Software Updater.job
                            - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]

                            2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
                            - c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
                            .
                            .
                            ------- Supplementary Scan -------
                            .
                            uStart Page = hxxp://www.gbcph.org/
                            uDefault_Search_URL = hxxp://www.google.com/ie
                            uInternet Settings,ProxyOverride = *.local
                            uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
                            DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
                            DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
                            FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
                            FF - prefs.js: browser.startup.homepage - www.gbcph.org
                            FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
                            FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
                            FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
                            FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
                            FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
                            FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
                            FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
                            FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
                            FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
                            FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
                            FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
                            FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
                            .

                            **************************************************************************

                            catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                            Rootkit scan 2009-06-27 22:51
                            Windows 5.1.2600 Service Pack 2 NTFS

                            scanning hidden processes ... 

                            scanning hidden autostart entries ...

                            scanning hidden files ... 

                            scan completed successfully
                            hidden files: 0

                            **************************************************************************
                            .
                            --------------------- DLLs Loaded Under Running Processes ---------------------

                            - - - - - - - > 'winlogon.exe'(860)
                            c:\program files\SUPERAntiSpyware\SASWINLO.dll

                            - - - - - - - > 'explorer.exe'(1456)
                            c:\progra~1\WINDOW~2\wmpband.dll
                            c:\windows\system32\WPDShServiceObj.dll
                            c:\windows\system32\PortableDeviceTypes.dll
                            c:\windows\system32\PortableDeviceApi.dll
                            .
                            ------------------------ Other Running Processes ------------------------
                            .
                            c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
                            c:\program files\Avira\AntiVir Desktop\avguard.exe
                            c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                            c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
                            c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
                            c:\program files\Bonjour\mDNSResponder.exe
                            c:\program files\Java\jre6\bin\jqs.exe
                            c:\windows\system32\HPZipm12.exe
                            c:\program files\Analog Devices\SoundMAX\SMAgent.exe
                            c:\windows\system32\MsPMSPSv.exe
                            c:\program files\iPod\bin\iPodService.exe
                            .
                            **************************************************************************
                            .
                            Completion time: 2009-06-28 22:56 - machine was rebooted
                            ComboFix-quarantined-files.txt  2009-06-28 05:56
                            ComboFix2.txt  2009-06-28 03:08
                            ComboFix3.txt  2009-06-28 02:04

                            Pre-Run: 108,956,647,424 bytes free
                            Post-Run: 108,939,886,592 bytes free

                            207

                            evilfantasy

                            • Malware Removal Specialist
                            • Moderator


                            • Genius
                            • Calm like a bomb
                            • Thanked: 493
                            • Experience: Experienced
                            • OS: Windows 11
                            Re: Double the fun!
                            « Reply #19 on: June 28, 2009, 09:50:56 AM »
                              OK I think we finally got all of that.

                              • Click START then RUN
                              • Now type Combofix /u in the runbox
                              • Make sure there's a space between Combofix and /u
                              • Then hit Enter.
                              .
                              • The above procedure will:
                              • Delete the following:
                              • ComboFix and its associated files and folders.
                              • Reset the clock settings.
                              • Hide file extensions, if required.
                              • Hide System/Hidden files, if required.
                              • Set a new, clean Restore Point.
                              .
                              ----------

                            Clean out your temporary internet files and temp files.

                            Download TFC by OldTimer to your desktop.

                            Double-click TFC.exe to run it.

                            Note: If you are running on Vista, right-click on the file and choose Run As Administrator

                            TFC will close all programs when run, so make sure you have saved all your work before you begin.

                            * Click the Start button to begin the cleaning process.
                            * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
                            * Please let TFC run uninterrupted until it is finished.

                            Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

                            ----------

                            Use the ESET Online Antivirus Scanner

                            This scanner requires Internet Explorer

                            1. Check the box next to YES, I accept the Terms of Use.
                            2. Click Start
                            3. When asked, allow the activex control to install
                            4. Click Start
                            5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
                            6. Click Scan
                            7. Wait for the scan to finish
                            8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
                            9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

                            GrimAbbott

                              Topic Starter


                              Rookie

                              • Experience: Beginner
                              • OS: Windows 7
                              Re: Double the fun!
                              « Reply #20 on: June 29, 2009, 03:48:43 AM »
                              ESETSmartInstaller@High as CAB hook log:
                              OnlineScanner.ocx - delete file error:The process cannot access the file because it is being used by another process.

                              OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

                              OnlineScanner.ocx - registred OK
                              # version=6
                              # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
                              # OnlineScanner.ocx=1.0.0.5863
                              # api_version=3.0.2
                              # EOSSerial=f8635a3504fa9c4583e41c03195de3f1
                              # end=finished
                              # remove_checked=true
                              # archives_checked=false
                              # unwanted_checked=true
                              # unsafe_checked=false
                              # antistealth_checked=true
                              # utc_time=2009-06-29 09:53:45
                              # local_time=2009-06-29 02:53:45 (-0800, Pacific Daylight Time)
                              # country="United States"
                              # lang=1033
                              # osver=5.1.2600 NT Service Pack 2
                              # compatibility_mode=1797 21 100 100 76642968750
                              # scanned=46189
                              # found=0
                              # cleaned=0
                              # scan_time=1490

                              evilfantasy

                              • Malware Removal Specialist
                              • Moderator


                              • Genius
                              • Calm like a bomb
                              • Thanked: 493
                              • Experience: Experienced
                              • OS: Windows 11
                              Re: Double the fun!
                              « Reply #21 on: June 29, 2009, 11:30:35 AM »
                              Looks good. Is the computer running OK now?

                              Use the Secunia Software Inspector to check for out of date software.
                              • Click Start Now
                              • Check the box next to Enable thorough system inspection.
                              • Click Start
                              • Allow the scan to finish and scroll down to see if any updates are needed.
                              • Update anything listed.
                              .
                              ----------

                              Go to Microsoft Windows Update and get all critical updates.

                              ----------

                              I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

                              SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                              * Using SpywareBlaster to protect your computer from Spyware and Malware
                              * If you don't know what ActiveX controls are, see here

                              Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

                              Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


                              GrimAbbott

                                Topic Starter


                                Rookie

                                • Experience: Beginner
                                • OS: Windows 7
                                Re: Double the fun!
                                « Reply #22 on: June 30, 2009, 10:34:27 PM »
                                Ahhh...much better!

                                My thanks to all of the CH players who invested time in helping me resolve this problem. This has been a long but rewarding and educational process. Thanks also for the final "tools" recommendations to help safeguard my future computing experiences.

                                Kudos to the team!

                                (Now it's time to run off to the XP thread and see how my other machine is doing!)