TechSpot

[Active] 2 Hijack viruses (at least) and slowdown/freeze problem - 8 steps

By tullriles
Jul 20, 2010
  1. Hi,
    My first post since joing the forum last week.

    - One virus won't let me near the website for windows update. This is occurring in both Explorer and Mozilla Firefox.
    - Another virus is re-routing me to various websites, very often associated with google.com/webhp
    - Some processes are causing my CPU to slow down to a snail's pace, and sometimes freeze.

    Any help with the above would be appreciated....thanks in advance.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4329

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/20/2010 5:36:12 AM
    mbam-log-2010-07-20 (05-36-12).txt

    Scan type: Quick scan
    Objects scanned: 140595
    Time elapsed: 8 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-20 06:40:26
    Windows 5.1.2600 Service Pack 3
    Running: segn9us2.exe; Driver: C:\DOCUME~1\bob\LOCALS~1\Temp\awrdapod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5408CD2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5408B8E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF5409142]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF540906C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5408764]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5408C68]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF54086A4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5408708]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5408D88]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF5409210]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5408D48]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5408EC8]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF5415B9C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF54159C0]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF5415AFA]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP F5412F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP F54159C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP F5415BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP F54115B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP F5415AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7F00340, 0x121A5F, 0xF8000020]
    .text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\WINDOWS\System32\svchost.exe[3892] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[3892] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[3892] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
    .text C:\WINDOWS\System32\svchost.exe[3892] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
    .text C:\WINDOWS\System32\svchost.exe[3892] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0097000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
    IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \FileSystem\Fastfat \Fat EDE83D20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good Morning! I'll help you out. While I check these logs, please go ahead and run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    ============================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  3. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    Thanks, Bobbye, for jumping in to help. (And a good morning to you also).
    Here are the Combofix and Eset results:

    ComboFix 10-07-19.04 - bob 07/20/2010 9:45.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.41 [GMT -4:00]
    Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Downloaded Program Files\RdXIe.dll
    c:\windows\Readme.txt
    c:\windows\system32\download
    c:\windows\system32\drivers\remove_spyware_button.gif
    c:\windows\system32\keylog.txt
    c:\windows\system32\lclcfg32.ini
    c:\windows\system32\lfd32.ini
    c:\windows\system32\mirc.ini
    c:\windows\system32\sl.bin
    c:\windows\system32\sounds
    c:\windows\tempf.txt

    Infected copy of c:\windows\system32\drivers\agp440.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
    .

    2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
    2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
    2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
    2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
    2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
    2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
    2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
    2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
    2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
    2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
    2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
    2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
    2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
    2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
    2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
    2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
    2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
    2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
    2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
    2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
    2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
    2010-07-11 20:46 . 2010-07-11 20:51 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-09 14:35 . 2010-07-09 14:35 -------- d-----w- c:\documents and settings\bob\Local Settings\Application Data\Threat Expert
    2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-07-05 13:21 . 2010-07-09 16:03 -------- d-----w- c:\documents and settings\bob\Local Settings\Application Data\gnorigsky

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-19 18:23 . 2005-10-27 01:37 -------- d-----w- c:\program files\Lx_cats
    2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
    2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-07-11 20:51 . 2010-03-07 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-07-09 16:49 . 2010-03-08 21:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
    2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
    2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "LXCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParetoLogic Anti-Virus PLUS

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 7:49 AM 24652]
    S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys [3/9/2010 2:15 PM 15944]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-20 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

    2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

    2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{A167FA36-FF62-4DF8-8276-4C64416F0594} - (no file)
    HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
    MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-20 09:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    Completion time: 2010-07-20 10:08:49
    ComboFix-quarantined-files.txt 2010-07-20 14:08

    Pre-Run: 36,332,167,168 bytes free
    Post-Run: 36,347,924,480 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - A8B660F9D1372F5B149731900677A39E


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=061bd8e71874aa40bc18c1bec8475654
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2010-07-20 03:11:38
    # local_time=2010-07-20 11:11:38 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=768 16777215 100 0 9458471 9458471 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=85137
    # found=3
    # cleaned=0
    # scan_time=3189
    C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe Win32/Adware.WBug.A application 86D151CC9AE8A37F5828A59B22B29D7E I
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP171\A0049156.sys Win32/Olmarik.ZC trojan EF2AC2CD39EB94BDE34E60BAA6AF970F I
    C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll probably a variant of Win32/Agent trojan 0633B8BB987CE9E4F11AD8C20B594F98 I
     
  4. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    Bobbye -

    I noticed that my access to windowsupdate seems to have been repaired. I didn't want to change anything on my system without your permission, so I haven't done any windows updates.

    I still have the other problems I documented. Please let me know if I should allow windows updates in the meantime.

    Thanks,
    Bob
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bob, hold off on the Windows Updates:

    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni
    =================================

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe 
      C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    IF you still have Weatherbug on the system, please uninstall it and remove the program folder in Windows Explorer.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you have finished with my Reply #5, continue with this: I am removing several redundant security entries. You were running multiple antivirus programs. I have also moved Hitman Pro. That program is a bundle of free programs available on the internet, most being used without the permission of the authors.

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe
    c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys
    c:\program files\common files\ParetoLogic
    
    Folder::
    c:\documents and settings\bob\Local Settings\Application Data\Threat Expert
    c:\documents and settings\bob\Local Settings\Application Data\gnorigsky
    c:\documents and settings\All Users\Application Data\ParetoLogic
    c:\documents and settings\All Users\Application Data\TEMP
    DDS::
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {A167FA36-FF62-4DF8-8276-4C64416F0594} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; iebar; .NET CLR 1.0.3705; .NET CLR 2.0.50727; IEMB3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; IEMB3)" -"http://pool.bz/P/Player/?@4AALW4BNyW3CNqW4DAVy2PGdq2qQtFBall_in_Hand_Behind_the_Center_Line_&ZZ@"
    mPolicies-explorer: <NO NAME> = 
    mPolicies-system: EnableLUA = 0 (0x0)
    
    Registry::
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParetoLogic Anti-Virus PLUS
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    
    Driver::
    Viewpoint Manager Service
    hitmanpro35
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    If you have any of the following on Startup, please uncheck them:
    Easy CD & DVD Creator or
    DirectCD or
    Drag-to-Disc or
    Easy CD Creator 5 Basic or
    Roxio Easy Media Creator by Roxio (www.roxio.com) or
    Sonic Solutions (www.sonic.com).
    =============================================
    Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:

    1. [1]. Download the Flash Player Uninstaller and save it to your desktop.
      Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/
      [2]. Double-click the setup and run the uninstaller program.
      [3]. Reboot your computer to complete the uninstall
      [4]. Download latest version of Flash Player HERE and save to the desktop.
      [5]. Double click the setup and run to install. Reboot when through.

    Once the new version is installed, follow the directions to disable the auto-updater.

    1. [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
      [2] Windows: Right click the Shockwave movie.
      [3] From the drop down menu choose "Properties".
      [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
      http://kb.adobe.com/selfservice/view...6683&sliceId=1
     
  7. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    Bobbye, Thanks for the guidance and the clear directions.

    I scoured my system looking for weatherbug, but couldn't find anything, so I didn't take any action.

    I was also unaware that I was running multiple anti-virus software. The only one I was aware of was AVAST. Thanks for pointing that out.

    Here are my latest results:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...


    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll
    C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: bob
    ->Temp folder emptied: 241352 bytes
    ->Temporary Internet Files folder emptied: 47376798 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 3154555 bytes
    ->Flash cache emptied: 3018 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 540806 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 2584 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 131206 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 777 bytes

    User: Owner

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 49.00 mb


    OTM by OldTimer - Version 3.1.15.0 log created on 07242010_145717

    Files moved on Reboot...
    File C:\Documents and Settings\bob\Local Settings\Temp\~DFC014.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DFC061.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DFC131.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DFC187.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DFC40A.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DFC44F.tmp not found!
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\XDJW7NL3\sh21[1].html moved successfully.
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\NTB79LL7\01[1].htm moved successfully.
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\NTB79LL7\adsCAWP42IQ.htm moved successfully.
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\NTB79LL7\topic150301[3].html moved successfully.
    File C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

    Registry entries deleted on Reboot...


    ComboFix 10-07-23.04 - bob 07/24/2010 15:18:55.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.96 [GMT -4:00]
    Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\program files\common files\ParetoLogic"
    "c:\program files\Viewpoint\Common\ViewpointService.exe"
    "c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\ParetoLogic
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\bob\Local Settings\Application Data\gnorigsky
    c:\documents and settings\bob\Local Settings\Application Data\Threat Expert
    c:\program files\Viewpoint\Common\ViewpointService.exe
    c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_HITMANPRO35
    -------\Legacy_VIEWPOINT_MANAGER_SERVICE
    -------\Service_hitmanpro35
    -------\Service_Viewpoint Manager Service


    ((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
    .

    2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
    2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
    2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
    2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
    2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
    2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
    2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
    2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
    2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
    2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
    2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
    2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
    2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
    2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
    2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
    2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
    2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
    2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
    2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
    2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
    2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
    2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
    2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
    2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
    2010-07-11 20:46 . 2010-07-11 20:51 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-23 03:34 . 2005-10-27 01:37 -------- d-----w- c:\program files\Lx_cats
    2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
    2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
    2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "LXCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
    S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-24 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

    2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

    2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-24 15:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3676)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\System32\CTsvcCDA.exe
    c:\windows\System32\nvsvc32.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-24 15:47:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-24 19:46
    ComboFix2.txt 2010-07-20 14:08

    Pre-Run: 36,574,068,736 bytes free
    Post-Run: 36,459,098,112 bytes free

    - - End Of File - - C13D5EADC41EE3E48DC7633DEA591EB0
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for pasting all the logs. It allows me to search directly from my browser and saves considerable time. Looks look- just a few entries to move:

    CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    
    Folder::
    c:\program files\Common Files\ParetoLogic
    c:\program files\Lx_cats
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LXCCCATS"=-
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Choose v2.0.4

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Are you noticing any improvements? What malware related problems remain?
     
  9. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    Thanks again, Bobbye.
    - As I reported Friday, I seem to be able to access the windows update website, but have not done any updates yet. I will wait until I get the "go ahead" from you on that.
    - My other hijack problem has not recurred in the last few days, so hopefully that has been resolved also.
    - I have noticed some improvement in my CPU processing time, but the boot process still seems slower than it should be, and when I run Google Earth (which is very data intensive), it seems to slow down the machine quite a bit.

    One question....When I start internet explorer, is it normal to see 2 processes in the Program Manager called iexplore.exe? This seems a little strange to me, but maybe it's normal.

    Thanks,
    Bob

    Here are my latest Combofix log and HIJACKTHIS log (2 posts...can't fit it into 1)

    ComboFix 10-07-24.04 - bob 07/25/2010 22:11:54.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.101 [GMT -4:00]
    Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\ParetoLogic
    c:\program files\Lx_cats
    c:\program files\Lx_cats\23A018502001G7I.A00
    c:\program files\Lx_cats\23A018502001G7I.A01
    c:\program files\Lx_cats\23A018502001G7I.A02
    c:\program files\Lx_cats\lxccCATS.INI
    c:\program files\Lx_cats\lxccdefs.xml

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
    .

    2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
    2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
    2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
    2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
    2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
    2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
    2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
    2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
    2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
    2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
    2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
    2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
    2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
    2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
    2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
    2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
    2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
    2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
    2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
    2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
    2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
    2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
    2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
    2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
    2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
    2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
    2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
    2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
    S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-26 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-25 22:28
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3780)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\System32\CTsvcCDA.exe
    c:\windows\System32\nvsvc32.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-25 22:39:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-26 02:39
    ComboFix2.txt 2010-07-24 19:47
    ComboFix3.txt 2010-07-20 14:08

    Pre-Run: 36,241,571,840 bytes free
    Post-Run: 36,279,250,944 bytes free

    - - End Of File - - F2F834125FAF435441C6420210541815
     
  10. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:51:20 PM, on 7/25/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Help - {1116F0D1-1161-4B26-9F76-CAA8F0F1673E} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
    O9 - Extra button: Support - {2E430047-8E8D-44C9-84B0-F2E80365ACE4} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: ComcastHSI - {C677BD4A-D567-40FC-8558-33A992D26222} - http://www.comcast.net (file missing) (HKCU)
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/39.22/uploader2.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = teleran.com
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Update Service (gupdate1c9cfd9aeca5742) (gupdate1c9cfd9aeca5742) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 9504 bytes
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For IEv8, this is normal to have multiple iexplore.exe processes. Malware can also hide in them but I had you check for that with the Bootkit Remover, which was clean..

    Bob, I'm checking Combofix now, but I want you to go ahead and run HijackThis. I found your hijacker. If you has this first entry set intentionally, you need to have HJT remove it- it's a "dirty" site with a bad reputation:

    Please reopen HijackThis to 'do system scan only'. Check each of the following if present:
    NOTE: Optional removals are color coded. Read the descriptions at the end of the log before you check for removal.
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Help - {1116F0D1-1161-4B26-9F76-CAA8F0F1673E} - http://www.comcast.net/memberservices/ (file missing) (HKCU)See Option 1
    O9 - Extra button: Support - {2E430047-8E8D-44C9-84B0-F2E80365ACE4} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: ComcastHSI - {C677BD4A-D567-40FC-8558-33A992D26222} - http://www.comcast.net (file missing) (HKCU)

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = teleran.comSee Option 2


    Option 1: If you are no longer using these Comcast services, you can remove these entries.
    Option 2: There is an entry in the HJT log for Teleran.
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = teleran.com
    This appears to be for "Application Usage Management: Managing Application Users to Improve Business Performance, Ensure Compliance and Reduce Costs." Is this a work computer? And "IT organizations get a comprehensive picture of their entire application ecosystem to quickly address performance, compliance and operational issues before they impact the business."

    Close all Windows except HijackThis and click on "Fix Checked"
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Will try again to see what's in these Registry keys:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    The Java is still outdated: Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
     
  13. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    Bobbye - Thank you again.

    I ran the HiJackThis and it cleaned up all 7 items on the list. The Telaran.com item was from a company I had done work for earlier this year, and I no longer need connectivity to their system. I also decided the COMCAST entries were unimportant to my needs, so they're gone, too.

    I ran Combofix with your new parameters, and am including the log.

    I installed the latest Java, which the website said was going to use 10 MB when I installed, but actually used 90 MB.

    ComboFix 10-07-24.06 - bob 07/26/2010 21:16:35.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.106 [GMT -4:00]
    Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
    .

    2010-07-26 02:49 . 2010-07-26 02:49 -------- d-----w- c:\program files\Trend Micro
    2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
    2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
    2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
    2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
    2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
    2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
    2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
    2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
    2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
    2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
    2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
    2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
    2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
    2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
    2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
    2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
    2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
    2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
    2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
    2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
    2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
    2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
    2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
    2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
    2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-26 02:49 . 2010-07-26 02:49 388096 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
    2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
    2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
    2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
    2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
    S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-26 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

    2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-26 21:28
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1560)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2010-07-26 21:37:56
    ComboFix-quarantined-files.txt 2010-07-27 01:37
    ComboFix2.txt 2010-07-26 02:39
    ComboFix3.txt 2010-07-24 19:47
    ComboFix4.txt 2010-07-20 14:08

    Pre-Run: 36,126,875,648 bytes free
    Post-Run: 36,163,354,624 bytes free

    - - End Of File - - D4A466A838A66C583D6A408B5E0C0208
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You weren't dumped and I don't appreciate you starting a thread accusing me of it. Your thread apparently passed on the the second page and/or I didn't get notification of the reply.

    I will continue here after deleting the other thread.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Has anything changed? Problem gone? Better?

    1.Windows updates are a thorn in almost everyone's side. How do you know that 'a virus' is preventing accessing the site? Do you get a message? What?
    2. The redirecting is from malware and that's what I am having you work on.
    3. Prepare the system for shutdown by closing all programs or active Windows. Open the Task Manager and see what processes have high CPU use. Task Manager should then only have use showing in taskmgr, System Idle and System. These three should add up to 100%- if a process shows 1-2%CPU, ignore it- you're looking for high use.
    ======================================
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File:
    DirLook::
    C:\symbols
    RegLock::
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    The only drivers/Services running are 2 for Avast and 1 for Google update. Usually there are multiple others driver/Services listed.

    You have the following entries: do you know what they are?
    2010-07-14 09:40 : Folder> c:\documents and settings\NetworkService\Application Data\FileOpen
    2010-05-06: Folder> c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
    2010-07-14: Folder> c:\documents and settings\LocalService\Application Data\FileOpen
    c:\program files\Glary Registry Repair
    2010-07-14: Folder> c:\documents and settings\bob\Application Data\Uniblue


    The last 2 entries show activity from a Registry cleaner. We do not recommend anyone using a Registry cleaner, but if they do, not during cleaning.

    In the future, if you have a problem of some kind with a helper, you are asked to send a PM the helper.
     
  16. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    In the future, if you have a problem of some kind with a helper, you are asked to send a PM the helper.[/QUOTE]

    I tried to PM you last Saturday, but the forum rules would not allow me to send a PM because I didn't have a post count greater than 30.

    I created a thread in "introductions" last Saturday and responded to it 30 times so I could get a high enough count to PM you. Someone deleted it.

    I told my family 11 days ago NOT to touch the computer because BOBBYE was helping me. Then I spent 8 of those days watching you help several other people multiple times a day, with absolutely no communication from you. I had no other way to get your attention than to start that other thread.

    If I can't PM you, and you aren't responding to this thread after several days, what other course of action do you recommend?


    Back to business: I'm pretty sure I don't need any of those Glary or UNIBLUE files from 7/14 that you asked about. I was trying to fix my system on my own at that time before I started working with you. I have no idea what that FileOpenNew.exe is from 5/6, so if we're getting rid of stuff, that should probably go, too.

    As for my original problems, I have access to windows updates again, but per your instructions last Saturday I'm still waiting to do any updating.

    My "redirect" virus also seems to have gone away.

    When I look at task manager (with all programs and active windows closed,) I see exactly what you described. The system idle and taskmgr are the only processes showing CPU percentage.

    I'll post the Combofix results in my next post.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I would ask that you try to keep in mind that we are all volunteers, that you are getting free help and that occasionally, our own lives take precedent. And most importantly, I am human and therefore not perfect.

    You can run this script also:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    c:\documents and settings\NetworkService\Application Data\FileOpen
    c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
    c:\documents and settings\LocalService\Application Data\FileOpen
    c:\program files\Glary Registry Repair
    c:\documents and settings\bob\Application Data\Uniblue
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files 
      C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  18. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    I just finished the first Combofix when I got the new instructions. Here's the first log, and my next post will contain the most recent set.

    ComboFix 10-07-31.01 - bob 07/31/2010 13:49:49.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.99 [GMT -4:00]
    Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
    .

    2010-07-27 02:02 . 2010-07-27 02:02 -------- d-----w- c:\program files\Common Files\Java
    2010-07-27 02:01 . 2010-07-27 02:01 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-26 02:49 . 2010-07-26 02:49 -------- d-----w- c:\program files\Trend Micro
    2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
    2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
    2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
    2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
    2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
    2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
    2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
    2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
    2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
    2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
    2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
    2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
    2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
    2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
    2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
    2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
    2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
    2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
    2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
    2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
    2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
    2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
    2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
    2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
    2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-27 02:02 . 2010-07-27 02:02 503808 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcp71.dll
    2010-07-27 02:02 . 2010-07-27 02:02 61440 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-sse.dll
    2010-07-27 02:02 . 2010-07-27 02:02 499712 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\jmc.dll
    2010-07-27 02:02 . 2010-07-27 02:02 348160 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcr71.dll
    2010-07-27 02:02 . 2010-07-27 02:02 12800 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-d3d.dll
    2010-07-27 02:00 . 2006-02-18 17:46 -------- d-----w- c:\program files\Java
    2010-07-26 02:49 . 2010-07-26 02:49 388096 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
    2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
    2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
    2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
    2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of C:\symbols ----

    2003-11-18 20:39 . 2003-11-18 20:39 410624 ----a-w- c:\symbols\dll\winhttp.pdb
    2003-11-18 17:24 . 2003-11-18 17:24 115712 ----a-w- c:\symbols\dll\efsadu.pdb
    2003-10-17 15:19 . 2003-10-17 15:19 1262592 ----a-w- c:\symbols\dll\crypt32.pdb
    2003-10-14 09:10 . 2003-10-14 09:10 263168 ----a-w- c:\symbols\dll\wintrust.pdb
    2003-10-14 09:10 . 2003-10-14 09:10 156672 ----a-w- c:\symbols\dll\cryptnet.pdb


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-07-24 20:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
    S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-31 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

    2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

    2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-31 14:04
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2900)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2010-07-31 14:16:23
    ComboFix-quarantined-files.txt 2010-07-31 18:16
    ComboFix2.txt 2010-07-27 01:37
    ComboFix3.txt 2010-07-26 02:39
    ComboFix4.txt 2010-07-24 19:47
    ComboFix5.txt 2010-07-31 17:46

    Pre-Run: 36,276,846,592 bytes free
    Post-Run: 36,335,407,104 bytes free

    - - End Of File - - 787C276C756900FD7E5080B83D8F7F1D
     
  19. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    I've run both Combofix and OTMoveit per your instructions. How do things look to you?


    ComboFix 10-07-31.01 - bob 07/31/2010 14:29:51.6.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.104 [GMT -4:00]
    Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\bob\Application Data\Uniblue
    c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\backup\20100714.103849.zip
    c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\error.log
    c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\last_scan.dat
    c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\settings.dat
    c:\documents and settings\LocalService\Application Data\FileOpen
    c:\documents and settings\LocalService\Application Data\FileOpen\Fowpmadi.txt
    c:\documents and settings\NetworkService\Application Data\FileOpen
    c:\documents and settings\NetworkService\Application Data\FileOpen\Fowpmadi.txt
    c:\program files\Glary Registry Repair
    c:\program files\Glary Registry Repair\data\registry.dat
    c:\program files\Glary Registry Repair\data\xdata.dat
    c:\program files\Glary Registry Repair\help.chm
    c:\program files\Glary Registry Repair\languages\Chinese(Traditional).lng
    c:\program files\Glary Registry Repair\languages\chinese.lng
    c:\program files\Glary Registry Repair\languages\dutch.lng
    c:\program files\Glary Registry Repair\languages\english.lng
    c:\program files\Glary Registry Repair\languages\french.lng
    c:\program files\Glary Registry Repair\languages\German.lng
    c:\program files\Glary Registry Repair\languages\hungarian.lng
    c:\program files\Glary Registry Repair\languages\italian.lng
    c:\program files\Glary Registry Repair\languages\japanese.lng
    c:\program files\Glary Registry Repair\languages\Korean.lng
    c:\program files\Glary Registry Repair\languages\polish.lng
    c:\program files\Glary Registry Repair\languages\ptbr.lng
    c:\program files\Glary Registry Repair\languages\russian.lng
    c:\program files\Glary Registry Repair\languages\spanish.lng
    c:\program files\Glary Registry Repair\languages\turkish.lng
    c:\program files\Glary Registry Repair\license.txt
    c:\program files\Glary Registry Repair\lockdll.dll
    c:\program files\Glary Registry Repair\regrepair.exe
    c:\program files\Glary Registry Repair\settings.ini
    c:\program files\Glary Registry Repair\unins000.dat
    c:\program files\Glary Registry Repair\unins000.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
    .

    2010-07-27 02:02 . 2010-07-27 02:02 -------- d-----w- c:\program files\Common Files\Java
    2010-07-27 02:01 . 2010-07-27 02:01 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-26 02:49 . 2010-07-26 02:49 -------- d-----w- c:\program files\Trend Micro
    2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
    2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
    2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
    2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
    2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
    2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
    2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
    2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
    2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
    2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
    2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
    2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
    2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
    2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
    2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
    2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
    2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
    2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
    2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
    2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
    2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
    2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-27 02:02 . 2010-07-27 02:02 503808 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcp71.dll
    2010-07-27 02:02 . 2010-07-27 02:02 61440 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-sse.dll
    2010-07-27 02:02 . 2010-07-27 02:02 499712 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\jmc.dll
    2010-07-27 02:02 . 2010-07-27 02:02 348160 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcr71.dll
    2010-07-27 02:02 . 2010-07-27 02:02 12800 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-d3d.dll
    2010-07-27 02:00 . 2006-02-18 17:46 -------- d-----w- c:\program files\Java
    2010-07-26 02:49 . 2010-07-26 02:49 388096 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
    2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
    2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
    2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
    2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-07-24 20:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-31 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

    2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

    2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Glary Registry Repair_is1 - c:\program files\Glary Registry Repair\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-31 14:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    Completion time: 2010-07-31 14:50:14
    ComboFix-quarantined-files.txt 2010-07-31 18:50
    ComboFix2.txt 2010-07-31 18:16
    ComboFix3.txt 2010-07-27 01:37
    ComboFix4.txt 2010-07-26 02:39
    ComboFix5.txt 2010-07-31 18:28

    Pre-Run: 36,344,590,336 bytes free
    Post-Run: 36,327,788,544 bytes free

    - - End Of File - - 56235F8D53C0331323B4584659E4A647

    Here's the OTM log:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File/Folder C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: bob
    ->Temp folder emptied: 99840 bytes
    ->Temporary Internet Files folder emptied: 6562154 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 3856062 bytes
    ->Flash cache emptied: 2406 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Owner

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 10.00 mb


    OTM by OldTimer - Version 3.1.15.0 log created on 07312010_145435

    Files moved on Reboot...
    File C:\Documents and Settings\bob\Local Settings\Temp\~DF2F83.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DF2F97.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DF31AB.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DF31BD.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DF32B1.tmp not found!
    File C:\Documents and Settings\bob\Local Settings\Temp\~DF32F5.tmp not found!
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\Z4A9G9TK\ads[3].htm moved successfully.
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\G8P0HXX5\topic150301[1].html moved successfully.
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\FA4I0PRK\ads[1].htm moved successfully.
    C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\ECIN2VNA\sh21[1].html moved successfully.
    File C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

    Registry entries deleted on Reboot...
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system is clean. The redirects should have stopped. Check for the Windows Updates.

    To do:
    1. Empty the Java cache: Control Panel> Java, Temporary internet files section> Settings> Delete. Close
    2. One left over files from the Glary repair: Search for FileOpenNew.exe> do a right click> Delete
    3. To pick up some speed and keep CPU usage down, uncheck any entries for camera, scanner or printer, media player, Java and Adobe reader:

    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you need any more help.
     
  21. tullriles

    tullriles TS Rookie Topic Starter Posts: 18

    Thanks Bobbye.

    I think I've been out of touch with Windows Update for quite a while, because I've spent the last couple of hours catching up with critical updates.

    I followed all your cleanup instructions, and everything seems good.

    I appreciate all you've done to help, and I wish I could have found a better way to resolve our communication issue.

    Take care,
    Bob
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Here are tips to help stay clean.


    Please follow these simple steps to keep your computer clean and secure:


    Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    Do regular Maintenance
    • Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    • Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

    Left by Bobbye, your friendly volunteer who takes time out of life to help others- free.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...