TechSpot

2 x iexplore.exe Always Running & Re-Opening After Cleanup

By pspsales
Jun 8, 2011
  1. Ran Virus/Registry Scans With:
    CCLeaner
    AVG Free Edition
    Super Anti-Spyware
    Spybot Search & Destroy
    Malware Bytes
    CleanMyPC Registry Cleaner Professional Edition
    cwshredder - Found & removed CWSMsconfig.exe
    Ad-aware Free

    All Files Were Previously Set To Hidden Fixed With:
    Command Prompt:
    cd C:\
    attrib *. -h -s /s /d

    DisableTaskMgr was set to 1 in ALL registry settings, reverted to 0 so I could gain access again (worked).

    Removed all old crap / software etc

    All msconfig.exe items removed from startup.

    Operating System: Windows XP Service Pack 3

    Issues:

    PC Running 2 x iexplore.exe in background (These instances start as I turn on the PC).

    When using IE the browser constantly gets redirected to affiliate / referral links.

    All Administrative Tools also appear to have been deleted (not hidden).



    5 (7) Step Process:
    1) AVG Free Ran (Command-Line Mode In Safe-Mode)
    2) Malwarebytes Scan Completed
    3) GMER Scan Completed
    4) DDS Scan Completed
    5) All Logs Of The Above Attached To This Message
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help you but you missed a part about the logs:

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    PleaseNote: You do not need to paste in the logs for Malwarebytes or GMER- they are both clean. There is another log from DDS named Attach.txt. Please paste that one in also when you paste in the DDS.txt log.

    I see some of the offending malware- not only is it bad, but Firefox presents me form loading the site. If you can find any processes in Add/Remove Programs related to (search).alot.com please uninstall it. It also appears that it might be in the sidebar.
    =======================================
    You can go ahead and run Combofix as I will need to write script for some removals: Unfortunately, it won't run with AVG so you will have to uninstall it temporarily:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =================================================
    Other than pasting in the 2 logs from DDS and the logs from Combofix, I do not need any other logs at this point.
     
  3. pspsales

    pspsales TS Rookie Topic Starter

    Thanks a lot for your reply.

    Steps Taken:

    1) AVG Removed (To Run ComboFix). Also restarted laptop at this point as per AVG recommendation.

    2) The dds attach log is in the original post, named: dds attach log.txt

    3) Looked in Add/Remove Programs, nothing related to alot.com / search.alot.com, all normal looking.

    4) ComboFix Run:
    Detected rootkit & needed to restart;
    After restart a restore point was created;
    Prompted to install recovery console (No internet connection, skipped);
    Scan completed;

    5) ComboFix run again to install recovery console, scan skipped;

    6) DDS Ran;

    7) Installed Avira-AntiVir-Personal-Free-Antivirus


    DDS Log:

    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by sara cordery at 18:01:28 on 2011-06-08
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.74 [GMT 1:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.nixat.com/
    uInternet Settings,ProxyOverride = *.local
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-6-8 64512]
    R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\saraco~1\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\saraco~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
    R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\saraco~1\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\saraco~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
    R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-4 211200]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
    S3 BlackBox;BlackBox SR2; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-5-25 15232]
    .
    =============== Created Last 30 ================
    .
    2011-06-08 16:38:38 256512 ----a-w- c:\windows\PEV.exe
    2011-06-08 16:38:38 208896 ----a-w- c:\windows\MBR.exe
    2011-06-08 16:38:37 98816 ----a-w- c:\windows\sed.exe
    2011-06-08 16:38:37 518144 ----a-w- c:\windows\SWREG.exe
    2011-06-08 16:03:58 194 ---ha-w- C:\aaw7boot.cmd
    2011-06-07 23:37:34 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-06-07 23:37:04 -------- d-----w- c:\program files\Lavasoft
    2011-06-07 19:40:12 -------- d-----w- c:\program files\common files\Wise Installation Wizard
    2011-06-07 16:14:09 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
    2011-06-06 16:34:46 711728 ----a-w- c:\windows\is-RKVPU.exe
    2011-06-06 16:19:03 -------- d-----w- c:\program files\CleanMyPC
    2011-06-04 07:30:24 -------- d-----w- C:\$AVG
    2011-06-04 03:34:43 -------- d-----w- c:\documents and settings\sara cordery\application data\AVG10
    2011-06-03 21:37:04 -------- d-----w- c:\documents and settings\all users\application data\Common Files
    2011-06-03 21:11:02 -------- d-----w- c:\documents and settings\all users\application data\AVG10
    2011-06-03 20:53:22 -------- d-----w- c:\documents and settings\sara cordery\local settings\application data\PackageAware
    2011-06-03 20:53:01 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-06-03 18:56:02 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-06-03 18:55:19 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-03 18:55:18 -------- d-----w- c:\documents and settings\sara cordery\application data\SUPERAntiSpyware.com
    .
    ==================== Find3M ====================
    .
    2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    .
    ============= FINISH: 18:02:30.29 ===============
     
  4. pspsales

    pspsales TS Rookie Topic Starter

    DDS Attach Log:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 08/03/2006 19:05:48
    System Uptime: 08/06/2011 17:37:10 (1 hours ago)
    .
    Motherboard: TOSHIBA | | Equium L20
    Processor: Intel(R) Celeron(R) M processor 1.40GHz | U23 | 1396/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 37 GiB total, 15.112 GiB free.
    D: is CDROM ()
    E: is FIXED (FAT32) - 466 GiB total, 58.368 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia Windows Portable Device Driver
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia E71
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP760: 03/06/2011 20:02:54 - Installed SUPERAntiSpyware Free Edition
    RP761: 03/06/2011 21:33:25 - Installed Error Fix
    RP762: 03/06/2011 22:09:14 - Installed AVG 2011
    RP763: 03/06/2011 22:10:32 - Installed AVG 2011
    RP764: 04/06/2011 08:36:36 - Software Distribution Service 3.0
    RP765: 06/06/2011 18:33:16 - Removed SUPERAntiSpyware Free Edition
    RP766: 06/06/2011 18:34:34 - Installed SUPERAntiSpyware Free Edition
    RP767: 07/06/2011 15:04:37 - Removed Error Fix
    RP768: 07/06/2011 15:06:52 - Removed Driver Detective.
    RP769: 08/06/2011 00:35:59 - Installed Ad-Aware
    RP770: 08/06/2011 00:36:59 - Installed Ad-Aware
    RP771: 08/06/2011 17:19:25 - Removed AVG 2011
    RP772: 08/06/2011 17:23:43 - Removed AVG 2011
    .
    ==== Installed Programs ======================
    .
    AC97 Data Fax SoftModem with SmartCP
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.2
    Adobe® Photoshop® Album Starter Edition 3.0
    Adobe® Photoshop® Album Starter Edition 3.0.1
    Apple Application Support
    Apple Software Update
    Atheros Client Utility
    Atheros Wireless LAN MiniPCI card Driver
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Bonjour
    BT Voyager 105 ADSL Modem
    BT Voyager Modem AOL Test
    CCleaner
    CD/DVD Drive Acoustic Silencer
    CDDRV_Installer
    CleanMyPC - Registry Cleaner
    Conexant AC-Link Audio
    Critical Update for Windows Media Player 11 (KB959772)
    DeerQuest
    DivX Setup
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    InterActual Player
    InterVideo WinDVD for TOSHIBA
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 8
    Java Auto Updater
    Java(TM) 6 Update 20
    KhalInstallWrapper
    Logitech Desktop Messenger
    Logitech SetPoint
    Macromedia Flash Player
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Access 2000 SR-1 Runtime
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft DirectX SDK (August 2007)
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office OneNote 2003
    Microsoft Office PowerPoint Viewer 2003
    Microsoft SQL Server Compact 3.5 SP1 English
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    MP3 Player Utilities 1.51
    MSVC80_x86
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    PC Connectivity Solution
    PCFriendly
    PHOTOfunSTUDIO 5.0
    QuickTime
    RealPlayer Basic
    REALTEK Gigabit and Fast Ethernet NIC Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic RecordNow!
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    TOSHIBA Assist
    TOSHIBA ConfigFree
    Toshiba Hotkey Utility
    TOSHIBA Manuals
    TOSHIBA PC Diagnostic Tool
    Toshiba Touchpad Utility
    Toshiba Utility
    TOSHIBA Zooming Utility
    Touch and Launch
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.0.1
    Vodafone Mobile Connect Lite
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    08/06/2011 00:43:02, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
    08/06/2011 00:22:28, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    07/06/2011 19:38:35, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    07/06/2011 15:05:29, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    06/06/2011 18:58:29, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
    06/06/2011 18:52:32, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
    06/06/2011 18:52:32, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    06/06/2011 18:52:03, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Beep Fips intelppm
    06/06/2011 18:34:54, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: The system cannot find the file specified.
    06/06/2011 18:33:25, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    06/06/2011 18:29:41, error: Service Control Manager [7034] - The Atheros Configuration Service service terminated unexpectedly. It has done this 1 time(s).
    06/06/2011 18:29:30, error: Service Control Manager [7031] - The Vodafone Mobile Connect Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    06/06/2011 18:27:45, error: Service Control Manager [7034] - The SNMP Service service terminated unexpectedly. It has done this 1 time(s).
    06/06/2011 18:27:42, error: Service Control Manager [7034] - The ConfigFree Service service terminated unexpectedly. It has done this 1 time(s).
    06/06/2011 18:27:35, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    06/06/2011 18:27:19, error: Service Control Manager [7034] - The Indexing Service service terminated unexpectedly. It has done this 1 time(s).
    06/06/2011 18:27:15, error: Service Control Manager [7031] - The Vodafone Mobile Connect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    06/06/2011 17:10:27, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Beep Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
    06/06/2011 17:01:51, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    06/06/2011 17:01:51, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/06/2011 10:18:49, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Vodafone Mobile Connect Service service to connect.
    04/06/2011 04:47:39, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to connect.
    04/06/2011 04:47:39, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    03/06/2011 20:47:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    03/06/2011 20:41:23, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    03/06/2011 20:12:19, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    03/06/2011 20:11:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    03/06/2011 20:11:05, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    03/06/2011 20:11:02, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Beep Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
    03/06/2011 20:11:02, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    03/06/2011 20:11:02, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    03/06/2011 20:11:02, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    03/06/2011 20:11:02, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    03/06/2011 20:11:02, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    03/06/2011 20:05:07, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
    03/06/2011 20:01:31, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000000E' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
    .
    ==== End Of File ===========================
     
  5. pspsales

    pspsales TS Rookie Topic Starter

    ComboFix Log:

    ComboFix 11-06-06.02 - sara cordery 08/06/2011 17:44:23.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.32 [GMT 1:00]
    Running from: e:\software\AV Stuff\New\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\sara cordery\WINDOWS
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-08 to 2011-06-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-08 16:03 . 2011-06-08 16:03 194 ---ha-w- C:\aaw7boot.cmd
    2011-06-07 23:37 . 2011-05-25 01:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-06-07 23:37 . 2011-06-07 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2011-06-07 23:37 . 2011-06-07 23:37 -------- d-----w- c:\program files\Lavasoft
    2011-06-07 19:40 . 2011-06-07 19:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2011-06-07 16:14 . 2011-06-07 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2011-06-06 16:34 . 2011-06-06 16:34 711728 ----a-w- c:\windows\is-RKVPU.exe
    2011-06-06 16:19 . 2011-06-06 16:19 -------- d-----w- c:\program files\CleanMyPC
    2011-06-04 07:30 . 2011-06-04 07:30 -------- d-----w- C:\$AVG
    2011-06-04 03:34 . 2011-06-04 03:34 -------- d-----w- c:\documents and settings\sara cordery\Application Data\AVG10
    2011-06-03 21:37 . 2011-06-03 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
    2011-06-03 21:11 . 2011-06-08 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-06-03 20:53 . 2011-06-03 20:53 -------- d-----w- c:\documents and settings\sara cordery\Local Settings\Application Data\PackageAware
    2011-06-03 20:53 . 2011-06-08 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-06-03 18:56 . 2011-06-03 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-06-03 18:55 . 2011-06-07 16:43 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-03 18:55 . 2011-06-03 18:55 -------- d-----w- c:\documents and settings\sara cordery\Application Data\SUPERAntiSpyware.com
    2011-06-03 18:43 . 2011-06-03 18:44 -------- d-----w- c:\documents and settings\Administrator
    2011-06-02 21:38 . 2011-06-02 21:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 08:11 . 2009-12-15 19:47 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^sara cordery^Start Menu^Programs^Startup^desktop.ini]
    path=c:\documents and settings\sara cordery\Start Menu\Programs\Startup\desktop.ini
    backup=c:\windows\pss\desktop.iniStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^sara cordery^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
    path=c:\documents and settings\sara cordery\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
    backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    \Program\ [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
    2003-05-06 09:28 72192 ----a-w- c:\program files\VoyagerTest\fts.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-06 23:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-06-28 20:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
    2003-08-19 13:47 16384 ------w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
    2003-06-28 16:10 1658965 ------w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    2008-02-29 02:12 76304 ----a-w- c:\windows\KHALMNPR.Exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    2008-02-29 02:12 76304 ----a-w- c:\windows\KHALMNPR.Exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
    2008-10-09 15:33 2086912 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
    2004-11-17 09:56 1077327 ----a-w- c:\program files\Toshiba\Touch and Launch\PadExe.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-03-21 14:20 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
    2005-05-12 09:31 118784 ----a-w- c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2004-10-08 21:43 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2004-10-08 21:44 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
    2005-04-11 10:26 65536 ----a-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
    2005-08-01 21:25 1093632 ----a-w- c:\program files\Toshiba\Windows Utilities\Hotkey.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/06/2011 00:37 64512]
    R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [25/05/2011 02:00 2151128]
    R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 16:32 14336]
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [04/08/2005 22:09 211200]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 14:24 135664]
    S3 BlackBox;BlackBox SR2; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 14:24 135664]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [25/05/2011 02:00 15232]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 01:00]
    .
    2011-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:23]
    .
    2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:23]
    .
    2011-06-08 c:\windows\Tasks\User_Feed_Synchronization-{DD5C83BF-206E-4485-BE82-9D7C1B5CFD49}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.nixat.com/
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    SafeBoot-AVG Anti-Spyware Driver
    SafeBoot-AVG Anti-Spyware Guard
    MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
    MSConfigStartUp-kqAIrvwyxLeS - c:\documents and settings\All Users\Application Data\kqAIrvwyxLeS.exe
    MSConfigStartUp-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
    MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-08 17:54
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(536)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\windows\system32\WlNotify.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll
    .
    Completion time: 2011-06-08 17:59:36
    ComboFix-quarantined-files.txt 2011-06-08 16:59
    .
    Pre-Run: 15,468,916,736 bytes free
    Post-Run: 16,200,470,528 bytes free
    .
    - - End Of File - - D4D7C940CBBFBDA288C4FC4BDBD089ED
     
  6. pspsales

    pspsales TS Rookie Topic Starter

    Any luck finding anything bad in the logs? Thanks a lot for your help so far :)
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Regarding the Recovery Console query: To the best of my knowledge, Combofix with not turn off the internet connection until after the console query, before you run the scan.
    =============================
    You have 3 outdated versions of Java. They are vulnerabilities. Please run the following:

    Please download JavaRa and unzip it to your desktop.

    Important!
    ***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.
    Note: I do not need this log!
    Then download and install then most current version and update of Java Runtime
    Environment (JRE)
    HERE.
    ====================================
    Are you aware that it is perfectly normal for IE8 to run multiple versions of iexplore.ese?
    ===================================
    If you are seeing an icon for desktop.ini on the desktop, it means you have the hidden files and folders showing. They should be rehidden:
    • Open My Computer.
      [*] Go to Tools > Folder Options.
      [*] Select the View tab.
      [*] Scroll down to Hidden files and folders.
      [*] Uncheck Show hidden files and folders.
      [*] Check Hide extensions of known file types.
      [*] Check) Hide protected operating system files (Recommended).
      [*] Click Yes when prompted.
      [*] Click OK.
      [*] Close My Computer.

    ==========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    FileLook::
    c:\windows\is-RKVPU.exe
    Folder::
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
    c:\program files\CleanMyPC
    DDS::
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Driver::
    BlackBox
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I recommed that you uninstall CleanMyPC and LimeWire, then delete the program folder.
     
  8. pspsales

    pspsales TS Rookie Topic Starter

    Process:
    1) Limewire did not have an uninstall file / Add/Remove item so I just deleted the Limewire folder.

    2) Ran JavaRa & removed all Java;

    3) Attempted To Install Latest Version Of Java From Site -
    Internal Error 2753. regutils.dll
    This error occured with the online & offline installer, ended up giving up.

    4) Set hidden files / folders to not show (Operating system files hidden already selected);

    5) Ran CFScript.txt with ComboFix;

    --
    Are you aware that it is perfectly normal for IE8 to run multiple versions of iexplore.ese?
    --
    Rather than running multiple instances IE is starting when I start the laptop up (not anymore but was before) and also trying to connect to the net (Connect / Stay Offline Messages) & also was redirecting URL's so you could never get to the site you enter in the address bar.


    ComboFix Log File:


    ComboFix 11-06-06.02 - sara cordery 11/06/2011 13:00:26.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.148 [GMT 1:00]
    Running from: c:\documents and settings\sara cordery\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\sara cordery\Desktop\CFScript.txt
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files\Kaspersky PURE 9.1.0.124\English\doc\pure9.1_en.pdf
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files\Kaspersky PURE 9.1.0.124\English\KasperskyPURE.en.msi
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files\Kaspersky PURE 9.1.0.124\English\release_notes_pure9.1_en.doc
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files\Kaspersky PURE 9.1.0.124\English\setup.exe
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files\Kaspersky PURE 9.1.0.124\English\setup.ini
    c:\documents and settings\all users\application data\Kaspersky Lab Setup Files\Kaspersky PURE 9.1.0.124\English\setup.reg
    c:\program files\CleanMyPC
    c:\program files\CleanMyPC\Registry Cleaner\fixlog.ini
    c:\program files\CleanMyPC\Registry Cleaner\master.ini
    c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
    c:\program files\CleanMyPC\Registry Cleaner\RCleaner.exe
    c:\program files\CleanMyPC\Registry Cleaner\UndoCenter\20110606172434A.cab
    c:\program files\CleanMyPC\Registry Cleaner\UndoCenter\20110607151145A.cab
    c:\program files\CleanMyPC\Registry Cleaner\UndoCenter\20110607155025A.cab
    c:\program files\CleanMyPC\Registry Cleaner\UndoCenter\20110607195402A.cab
    c:\program files\CleanMyPC\Registry Cleaner\UnFD.exe
    c:\program files\CleanMyPC\Registry Cleaner\unins000.dat
    c:\program files\CleanMyPC\Registry Cleaner\unins000.exe
    c:\program files\CleanMyPC\Registry Cleaner\update.exe
    c:\program files\CleanMyPC\Registry Cleaner\update.urs
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_BLACKBOX
    -------\Service_BlackBox
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-11 to 2011-06-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-08 17:24 . 2011-06-08 17:24 -------- d-----w- c:\documents and settings\sara cordery\Application Data\Avira
    2011-06-08 17:14 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-08 17:14 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-08 17:14 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-08 17:14 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-08 17:14 . 2011-06-08 17:14 -------- d-----w- c:\program files\Avira
    2011-06-08 17:14 . 2011-06-08 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-08 16:03 . 2011-06-08 16:03 194 ---ha-w- C:\aaw7boot.cmd
    2011-06-07 23:37 . 2011-05-25 01:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-06-07 23:37 . 2011-06-07 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2011-06-07 23:37 . 2011-06-07 23:37 -------- d-----w- c:\program files\Lavasoft
    2011-06-07 19:40 . 2011-06-07 19:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2011-06-06 16:34 . 2011-06-06 16:34 711728 ----a-w- c:\windows\is-RKVPU.exe
    2011-06-04 07:30 . 2011-06-04 07:30 -------- d-----w- C:\$AVG
    2011-06-04 03:34 . 2011-06-04 03:34 -------- d-----w- c:\documents and settings\sara cordery\Application Data\AVG10
    2011-06-03 21:37 . 2011-06-03 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
    2011-06-03 21:11 . 2011-06-08 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-06-03 20:53 . 2011-06-03 20:53 -------- d-----w- c:\documents and settings\sara cordery\Local Settings\Application Data\PackageAware
    2011-06-03 20:53 . 2011-06-08 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-06-03 18:56 . 2011-06-03 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-06-03 18:55 . 2011-06-07 16:43 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-03 18:55 . 2011-06-03 18:55 -------- d-----w- c:\documents and settings\sara cordery\Application Data\SUPERAntiSpyware.com
    2011-06-03 18:43 . 2011-06-03 18:44 -------- d-----w- c:\documents and settings\Administrator
    2011-06-02 21:38 . 2011-06-02 21:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 08:11 . 2009-12-15 19:47 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\is-RKVPU.exe ---
    Company:
    File Description: Setup/Uninstall
    File Version: 51.52.0.0
    Product Name:
    Copyright:
    Original Filename:
    File size: 711728
    Created time: 2011-06-06 16:34
    Modified time: 2011-06-06 16:34
    MD5: C8DE25FEFB17627E2237B320CCF30EE1
    SHA1: 1EB76F645E9A74E9E45B33FDF4793C889C5A6744
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^sara cordery^Start Menu^Programs^Startup^desktop.ini]
    path=c:\documents and settings\sara cordery\Start Menu\Programs\Startup\desktop.ini
    backup=c:\windows\pss\desktop.iniStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^sara cordery^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
    path=c:\documents and settings\sara cordery\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
    backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    \Program\ [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
    2003-05-06 09:28 72192 ----a-w- c:\program files\VoyagerTest\fts.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-06 23:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-06-28 20:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
    2003-08-19 13:47 16384 ------w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
    2003-06-28 16:10 1658965 ------w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    2008-02-29 02:12 76304 ----a-w- c:\windows\KHALMNPR.Exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    2008-02-29 02:12 76304 ----a-w- c:\windows\KHALMNPR.Exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
    2008-10-09 15:33 2086912 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
    2004-11-17 09:56 1077327 ----a-w- c:\program files\Toshiba\Touch and Launch\PadExe.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-03-21 14:20 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
    2005-05-12 09:31 118784 ----a-w- c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2004-10-08 21:43 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2004-10-08 21:44 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
    2005-04-11 10:26 65536 ----a-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
    2005-08-01 21:25 1093632 ----a-w- c:\program files\Toshiba\Windows Utilities\Hotkey.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/06/2011 00:37 64512]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [08/06/2011 18:15 136360]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [25/05/2011 02:00 2151128]
    R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 16:32 14336]
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [04/08/2005 22:09 211200]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 14:24 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 14:24 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 01:00]
    .
    2011-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    2011-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:23]
    .
    2011-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:23]
    .
    2011-06-11 c:\windows\Tasks\User_Feed_Synchronization-{DD5C83BF-206E-4485-BE82-9D7C1B5CFD49}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.nixat.com/
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.254
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-CleanMyPC - Registry Cleaner_is1 - c:\program files\CleanMyPC\Registry Cleaner\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-11 13:13
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(552)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll
    .
    - - - - - - - > 'explorer.exe'(2268)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\acs.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\snmp.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-11 13:23:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-11 12:23
    ComboFix2.txt 2011-06-08 16:59
    .
    Pre-Run: 16,076,775,424 bytes free
    Post-Run: 15,867,355,136 bytes free
    .
    - - End Of File - - E530195FC96A81F5A0897B46D0C91A62
     
  9. pspsales

    pspsales TS Rookie Topic Starter

    The Microsoft Installer Clean Up Utility helped to remove Java & then re-install worked fine.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    How to Fix Internal Error 2753

    This is related to a Windows Installer failure. If this error is popping up as a prompt on your Windows operating system, you will not be able to install applications on your system.

    1. Click on Start> Run> type CMD in the run box> Enter
    2. Type regsvr32 vbscript.dll> Enter
    3. You should see the message "DllRegisterServer in vbscript.dll succeeded".
    4. If this message appears, the required files for the installer have now been successfully registered, and you should be able to install your apps.
    5. Click on the installer file for your application and see if the error appears again. If the installation begins, the files are now properly registered. Repeat the process one more time if the installation still gives the Error
    ==========================================
    We need to submit a file for identification::

    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      [B]c:\windows\is-RKVPU.exe[/B]
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
     
  11. pspsales

    pspsales TS Rookie Topic Starter

    The Microsoft Installer Clean Up Utility helped to remove Java & then re-install worked fine.

    Scan on virustotal.com returned File already submitted & detected 0/42 (Virus-Free).
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- Please don't use cleaning programs unless I instruct you to.
    When a log is given from a program, please leave the log- unless you are told not to as in Java Ra.

    When you did the online virus scan, did you have the option to run the file again?

    Multiple iexplore.exe entries and redirects are not the same. While it is normal to have multiple iexplore.exe processes with IE8, it is also possible that malware is hiding under that process name. A search redirect can happen to any browser, any version and may have nothing to do with the 2 iexplore.exe processes you see.
    =====================================
    Did you rehide the files and folders before you ran Combofix? Do you have an icon for desktop.ini on the desktop?
    ====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\is-RKVPU.exe
    c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SA SDIFSV.SYS
    c:\docume~1\SARACO~1\LOCALS~1\Temp\SAS_SelfExtract\SA SKUTIL.SYS
    Driver::
    SASDIFSV
    SASKUTIL
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . I don't need this log.
    =======================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ====================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Amost through.
    The system is looking good. Do you have any malware related problems now or have they been resolved?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...