How to Resolve Virus using 100% CPUs In Vista-32 bit

Solved
By cashcab
Jan 12, 2011
Topic Status:
Not open for further replies.
  1. I have a high CPU usage issue that I can't resolve. None of the processes show greater than 50% CPU usage but the total is almost always 100% even when just launching. Processes using high CPUs change regularly. It seems like a virus/bug but I can't locate it. Computer is slower than slow but can't resolve issue. It appears this happened when using wi-fi on unsecured line at hotel (unless it was coincidence) although I have anti-virus software installed. Any ideas please?
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the prioblem after I get information

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Results of 8 Step Virus, etc. Removal Instructions--Part 1

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5509

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18999

    1/12/2011 9:29:33 PM
    mbam-log-2011-01-12 (21-29-33).txt

    Scan type: Quick scan
    Objects scanned: 153050
    Time elapsed: 31 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  4. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Results of 8 Step Virus, etc. Instructions Part 2

    GMER LOG

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-12 22:05:12
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0085
    Running: gmer.exe; Driver: C:\Users\Carrie\AppData\Local\Temp\fwkyipog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
  5. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Results of 8 Step Virus etc., Instructions, Part 3

    DDS Log


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Carrie at 22:21:23.69 on Wed 01/12/2011
    Internet Explorer: 8.0.6001.18999
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1005 [GMT -6:00]

    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Dell 968 AIO Printer\dldomon.exe
    C:\Program Files\Dell 968 AIO Printer\memcard.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe
    C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Norton Utilities 14\RMTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\PSIService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\dllhost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Windows\system32\dllhost.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\System32\msdtc.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Carrie\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://comcast.net/
    uWindow Title = Internet Explorer provided by Dell
    uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080801
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
    uRun: [NortonUtilities] c:\program files\norton utilities 14\RMTray.exe /H
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [<NO NAME>]
    mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
    mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"
    mRun: [dldomon.exe] "c:\program files\dell 968 aio printer\dldomon.exe"
    mRun: [MemoryCardManager] "c:\program files\dell 968 aio printer\memcard.exe"
    mRun: [Dell 968 AIO Printer Fax Server] "c:\program files\dell 968 aio printer\fm3032.exe" /s
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Bing Bar] "c:\program files\msn toolbar\platform\6.3.2380.0\mswinext.exe"
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
    mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
    Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
    LSA: Authentication Packages = msv1_0 wvauth

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2011-1-6 340016]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2011-1-6 652336]
    R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110112.001\IDSvix86.sys [2011-1-12 353912]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2011-1-6 136312]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys [2011-1-6 330360]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-8-1 179712]
    R3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\drivers\BthFilt.sys [2008-8-1 13824]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-11 102448]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-9-16 33024]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-9-16 41344]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-9-16 39936]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-9-16 59904]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]

    =============== Created Last 30 ================

    2011-01-13 04:17:04 624128 ----a-w- c:\users\carrie\dds.scr
    2011-01-13 03:46:20 296448 ----a-w- c:\users\carrie\GMER.exe
    2011-01-13 02:55:08 -------- d-----w- c:\users\carrie\appdata\roaming\Malwarebytes
    2011-01-13 02:54:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-13 02:53:56 -------- d-----w- c:\progra~2\Malwarebytes
    2011-01-13 02:53:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-13 02:53:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-13 01:16:58 446464 ----a-w- c:\users\carrie\TFC.exe
    2011-01-12 02:51:15 -------- d-----w- c:\users\carrie\appdata\roaming\Uniblue
    2011-01-12 02:47:46 -------- d-----w- c:\users\carrie\appdata\local\PackageAware
    2011-01-11 22:21:12 -------- d-----w- c:\program files\DebugDiag
    2011-01-11 22:16:48 5142528 ----a-w- c:\users\carrie\DebugDiag.msi
    2011-01-06 21:36:00 330360 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys
    2011-01-06 21:35:59 295032 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys
    2011-01-06 21:35:57 652336 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symefa.sys
    2011-01-06 21:35:55 340016 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symds.sys
    2011-01-06 21:35:54 50168 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys
    2011-01-06 21:35:53 509560 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys
    2011-01-06 21:35:52 136312 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys
    2011-01-06 21:33:41 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D
    2011-01-06 18:58:35 880640 ----a-w- c:\windows\system32\UniBox10.ocx
    2011-01-06 18:58:35 506368 ----a-w- c:\windows\system32\msxml.dll
    2011-01-06 18:58:35 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
    2011-01-06 18:58:35 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
    2011-01-06 18:18:03 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-01-06 18:18:03 -------- d-----w- c:\program files\Symantec
    2011-01-06 18:18:03 -------- d-----w- c:\program files\common files\Symantec Shared
    2011-01-06 18:17:30 -------- d-----w- c:\windows\system32\drivers\NIS
    2011-01-06 18:17:27 -------- d-----w- c:\program files\Norton Internet Security
    2011-01-06 04:16:57 -------- d-----w- c:\program files\NortonInstaller
    2011-01-06 04:12:45 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{d794a1d6-e553-42c6-a37e-92a614c642ad}\mpengine.dll
    2011-01-06 04:12:41 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-04 22:15:37 -------- d-----w- c:\users\carrie\advfn
    2010-12-22 21:21:48 19396800 ----a-w- c:\users\carrie\HP_Vista_PS_7150.exe
    2010-12-18 02:43:47 45056 ----a-r- c:\users\carrie\appdata\roaming\microsoft\installer\{2c31929a-d6ab-4d0b-abf9-4812a045ce97}\OptionsOracle.exe1_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43:47 45056 ----a-r- c:\users\carrie\appdata\roaming\microsoft\installer\{2c31929a-d6ab-4d0b-abf9-4812a045ce97}\OptionsOracle.exe_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43:47 45056 ----a-r- c:\users\carrie\appdata\roaming\microsoft\installer\{2c31929a-d6ab-4d0b-abf9-4812a045ce97}\ARPPRODUCTICON.exe
    2010-12-18 02:43:47 204800 ----a-r- c:\users\carrie\appdata\roaming\microsoft\installer\{2c31929a-d6ab-4d0b-abf9-4812a045ce97}\OptionsOracle_Data_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43:28 -------- d-----w- c:\program files\Options Oracle
    2010-12-14 22:55:34 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

    ==================== Find3M ====================

    2011-01-11 22:22:03 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-01-11 22:20:52 88 --sh--r- c:\windows\system32\CDAC9EE126.sys
    2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
    2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 22:25:59.89 ===============
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I can see why the CPU is so busy! The system is running everything on it- which does nothing but use resources unnecessarily. Examples:
    Dell Printer
    HP Vista PhotoSmart Printer>> this one has a huge file
    Adobe Reader and TB
    MemoryCardManager
    Corel Photo Downloader

    There is another log from DDS named Attach.txt. Please paste that in with the additional scan logs.

    And this:
    I don't believe in coincidences! But we'll have to do the following scans and see what gets picked up:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    You also have numerous auto-updates running. After we make sure you're clean, I'll make some recommendations for stopping processes.
  7. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    DDS Attach.txt Log

    Sorry about not attaching this yesterday. It didn't run so I reran it. Thank you very much for your ongoing help. I really appreciate it.


    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume3
    Install Date: 8/1/2008 9:04:45 AM
    System Uptime: 1/13/2011 7:20:22 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0KU184
    Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 800/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 110 GiB total, 14.513 GiB free.
    D: is FIXED (NTFS) - 2 GiB total, 1.119 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0004
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #5
    PNP Device ID: ROOT\*ISATAP\0004
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0005
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #6
    PNP Device ID: ROOT\*ISATAP\0005
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0016
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #18
    PNP Device ID: ROOT\*ISATAP\0016
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description:
    Device ID: ROOT\*ISATAP\0017
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #17
    PNP Device ID: ROOT\*ISATAP\0017
    Service:

    ==== System Restore Points ===================


    ==== Installed Programs ======================


    ABBYY FineReader 6.0 Sprint
    Adobe Acrobat 8 Standard
    Adobe Acrobat 8.1.2 Security Update 1 (KB403742)
    Adobe Acrobat 8.1.2 Standard
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 ActiveX
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AuthenTec Fingerprint Sensor Minimum Install
    Bing Bar
    Bing Bar Platform
    Bing Rewards Client Installer
    biolsp patch
    Bonjour
    Broadcom ASF Management Applications
    Broadcom Management Programs
    Browser Address Error Redirector
    Business Contact Manager for Outlook 2007 SP2
    Carbonite Online Backup Setup
    Citrix XenApp Web Plugin
    Conexant HDA D330 MDC V.92 Modem
    Corel Snapfire Plus
    Dell 968 AIO Printer
    Dell Driver Download Manager
    Dell Drivers MSI
    Dell Embassy Trust Suite by Wave Systems
    Dell Getting Started Guide
    Dell Touchpad
    DGOControls
    Digital Line Detect
    Document Manager Lite
    EDocs
    EMBASSY Security Center
    EMBASSY Security Setup
    EMBASSY Trust Suite by Wave Systems
    ESC Home Page Plugin
    Fidelity Active Trader Pro®
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    Gemalto
    GemSafe Standard Edition 5.1
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToAssist 8.0.0.514
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Matrix Storage Manager
    Intel(R) PROSet/Wireless Software
    Intuit SiteBuilder
    iPhone Configuration Utility
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    LG USB Modem driver
    Malwarebytes' Anti-Malware
    mCore
    MFCLOC
    mHelp
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Default Manager
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft UI Engine
    Microsoft Visual J# 2.0 Redistributable Package
    mMHouse
    MobileMe Control Panel
    Modem Diagnostic Tool
    mPfMgr
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    mWMI
    NetWaiting
    Norton Internet Security
    Norton Utilities
    NTRU TCG Software Stack
    OGA Notifier 2.0.0048.0
    OpenOffice.org Installer 1.0
    OptionsOracle
    PANTECH UM175 Driver
    PlanWrite - Business Plan Writer Deluxe
    PowerDVD
    Preboot Manager
    Private Information Manager
    QuickSet
    QuickTime
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Safari
    Secrets of the Masters Trading Game
    Secure Update
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Wizards
    Sonic CinePlayer Decoder Pack
    TaxCut Minnesota 2007
    TaxCut Premium + State + Efile 2007
    Tradelog
    Trader Workstation
    TurboTax 2008
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wmniper
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wmniper
    TurboTax 2009 wrapper
    TWS Demo
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2466076)
    upekmsi
    Vista Profile Pack
    VZAccess Manager
    Wave Infrastructure Installer
    Wave Support Software

    ==== End Of File ===========================
  8. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Results of ESET Scan

    TSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=9853f9830d2d704aad52d3215ccc5c4f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-01-14 03:43:51
    # local_time=2011-01-14 09:43:51 (-0600, Central Standard Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=3584 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776573 100 100 0 131618626 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=226148
    # found=0
    # cleaned=0
    # scan_time=8707
  9. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Combofix

    I'm at a loss as to what to do about Combofix. I have spent at least 4 hours trying to get through your instructions but cannot do so successfully. First, it would not download. Eventually, I got it to download but none of the scripts you posted appear. I received a notice that I had a corrupt version and to redownload so I did. Again, it wasn't operating properly. I have tried to locate another website to download it from but have not been able to correct this problem. Most recently, I received the opening script indicating that it was working only to get a message saying it wasn't safe to continue along with a short notice about not recognizing something and then a C prompt command. I was going to uninstall the copy I have but was notified not to do so since some processes may be linked to it. I'm unsure what to do at this point. Can you please advise. Thanks very much.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    1. "short notice about not recognizing something"> I need the words of the notice and what is not being recognized.
    2. " a C prompt command"> what is the Command? Is it on a black screen?
    3. "notified not to do so since some processes may be linked to it."> need exact, full message.

    I have no idea what happening. I'd like you to uninstall as follows:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Then try the download again. The link is good. You need to give me more specific information about these messages you're getting. Right now, I see clean logs for Mbam, GMER and Eset.
    =========================================
    As I mentioned, you have an extraordinary number of processes running:
    Do you use these?
    Dell 968 AIO Printer> printer doesn't need to run in the background
    Dell Driver Download Manager
    Dell Drivers MSI
    Dell Getting Started Guide

    Multiple Security packages:
    1. Gemalto: international digital security company, providing secure personal devices such as smart cards and tokens in addition to software applications and managed services.
    2. Dell Embassy Trust Suite by Wave Systems:advanced levels of security to the client PC using the TPM security chip found on most enterprise PCs today. Trusted Platform Module.(TPM) >>secure cryptoprocessor that can store cryptographic keys that protect information. Disk encryption, Digital rights management, Software license protection & enforcement, Password protection
    EMBASSY Security Center
    EMBASSY Security Setup
    EMBASSY Trust Suite by Wave System
    Wave Infrastructure Installer
    Wave Support Software
    3. AuthenTec Fingerprint Sensor Minimum Install

    I'm thinking that some of the excess security is causing conflicts. Consider that.

    Java Outdated: Current is v6u23
    Java(TM) 6 Update 22
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
  11. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    ComboFix Log

    I finally got it working. FYI, it did not ask to have the recovery console installed. It did find a problem though as you will see from the log. I'll respond to your additional questions in another reply.

    ComboFix 11-01-10.04 - Carrie 01/14/2011 16:59:13.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.979 [GMT -6:00]
    Running from: c:\users\Carrie\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\pswi_preloaded.exe
    c:\users\Carrie\ComboFix.exe
    c:\users\Carrie\GoToAssistDownloadHelper.exe
    c:\users\Carrie\R172716.exe

    c:\windows\system32\userinit.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
    .

    2011-01-14 23:15 . 2011-01-14 23:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-13 03:46 . 2011-01-13 03:49 296448 ----a-w- c:\users\Carrie\GMER.exe
    2011-01-13 02:55 . 2011-01-13 02:55 -------- d-----w- c:\users\Carrie\AppData\Roaming\Malwarebytes
    2011-01-13 02:54 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-13 02:53 . 2011-01-13 02:53 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-13 02:53 . 2011-01-13 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-13 02:53 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-13 01:16 . 2011-01-13 01:17 446464 ----a-w- c:\users\Carrie\TFC.exe
    2011-01-12 22:55 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 22:55 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-01-12 22:55 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-01-12 22:55 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-01-12 22:55 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-01-12 22:55 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-01-12 22:55 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2011-01-12 02:51 . 2011-01-12 02:51 -------- d-----w- c:\users\Carrie\AppData\Roaming\Uniblue
    2011-01-12 02:47 . 2011-01-12 02:47 -------- d-----w- c:\users\Carrie\AppData\Local\PackageAware
    2011-01-11 22:21 . 2011-01-12 02:26 -------- d-----w- c:\program files\DebugDiag
    2011-01-11 22:16 . 2011-01-11 22:16 5142528 ----a-w- c:\users\Carrie\DebugDiag.msi
    2011-01-06 18:58 . 2008-04-02 21:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
    2011-01-06 18:58 . 2008-04-02 21:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
    2011-01-06 18:58 . 2008-04-02 21:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
    2011-01-06 18:58 . 2004-08-04 13:00 506368 ----a-w- c:\windows\system32\msxml.dll
    2011-01-06 18:18 . 2011-01-11 20:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2011-01-06 18:18 . 2011-01-06 18:18 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-01-06 18:18 . 2011-01-06 18:18 -------- d-----w- c:\program files\Symantec
    2011-01-06 18:17 . 2011-01-07 14:41 -------- d-----w- c:\windows\system32\drivers\NIS
    2011-01-06 18:17 . 2011-01-06 18:17 -------- d-----w- c:\program files\Norton Internet Security
    2011-01-06 04:16 . 2011-01-06 18:16 -------- d-----w- c:\program files\NortonInstaller
    2011-01-06 04:12 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D794A1D6-E553-42C6-A37E-92A614C642AD}\mpengine.dll
    2011-01-06 04:12 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-04 22:15 . 2011-01-04 22:15 -------- d-----w- c:\users\Carrie\advfn
    2010-12-22 21:21 . 2010-12-22 21:21 19396800 ----a-w- c:\users\Carrie\HP_Vista_PS_7150.exe
    2010-12-18 02:43 . 2010-12-18 02:43 45056 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\OptionsOracle.exe1_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43 . 2010-12-18 02:43 45056 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\OptionsOracle.exe_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43 . 2010-12-18 02:43 45056 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\ARPPRODUCTICON.exe
    2010-12-18 02:43 . 2010-12-18 02:43 204800 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\OptionsOracle_Data_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43 . 2010-12-18 02:43 -------- d-----w- c:\program files\Options Oracle

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-14 23:24 . 2008-08-07 22:10 0 ----a-w- c:\users\Carrie\AppData\Local\WavXMapDrive.bat
    2010-11-04 18:56 . 2010-12-14 22:57 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55 . 2010-12-14 22:57 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55 . 2010-12-14 22:57 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55 . 2010-12-14 22:57 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34 . 2010-12-14 22:57 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01 . 2010-12-14 22:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57 . 2010-12-14 22:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57 . 2010-12-14 22:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57 . 2010-12-14 22:56 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:57 . 2010-12-14 22:56 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:01 . 2010-12-14 22:56 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26 . 2010-12-14 22:56 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24 . 2010-12-14 22:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44 . 2010-12-14 22:57 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27 . 2010-12-14 22:57 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20 . 2010-12-14 22:56 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-18 13:37 . 2010-12-14 22:57 81920 ----a-w- c:\windows\system32\consent.exe
    2010-10-18 13:31 . 2010-12-14 22:57 2038272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-01 68856]
    "PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-06-29 42392]
    "NortonUtilities"="c:\program files\Norton Utilities 14\RMTray.exe" [2009-09-14 279912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-27 17920]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-26 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-31 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-31 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-31 133656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 85504]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
    "Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-15 30192]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
    "dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
    "MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
    "Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "Bing Bar"="c:\program files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe" [2010-11-12 273672]
    "CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-11-21 283792]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-06-29 42392]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-1 50688]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
    2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 99568]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 135664]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-15 30192]
    R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
    R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
    R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
    R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 340016]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2010-11-23 691248]
    S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110113.001\IDSvix86.sys [2010-11-09 353912]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 136312]
    S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 330360]
    S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
    S2 BthFilterHelper;Bluetooth Feature Support;c:\program files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-07 127488]
    S2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe [2007-10-05 595184]
    S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
    S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2006-11-02 7168]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-13 179712]
    S3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\DRIVERS\BthFilt.sys [2007-05-05 13824]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-01-06 102448]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 20:05]

    2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 20:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://comcast.net/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Trusted Zone: intuit.com\ttlc
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    Notify-GoToAssist - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-14 17:22
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WLANExt.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\windows\system32\PSIService.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\STacSV.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Dell\QuickSet\NicConfigSvc.exe
    c:\windows\System32\msdtc.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-14 17:54:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-14 23:53

    Pre-Run: 14,834,372,608 bytes free
    Post-Run: 13,998,415,872 bytes free

    - - End Of File - - 84F6842C59A1A512E97627F49225ECE0
     
  12. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Misc issues

    I deleted several of the processes you asked if I use. I need to keep Dell 968 AIO Printer but you are right it doesn't need to run in the background. How do I change it so that it only runs when I need it?

    I have eliminated a couple of the security packages that I don't need.

    I have deleted the outdated Java updates/versions and have downloaded the most current version.

    It appears that my system is running faster than it had been but I still receive "High CPU usage alerts" from my anti-virus/utilities program so there must still be something else going on.

    It appears I have somthing wrong with my "administrative rights" now. For example, to upgrade the trading platform I have used for years, it now says that I don't have sufficient administrative rights to download the most recent upgrade. This has never happened prior to this "high CPU usage issue." Also, when downloading the most current version of Java, I wasn't able to save it in my program file because of insufficient administrative rights. Again, this did not happen prior to this issue.

    If you can share resolutions to this issue, I would very much appreciate it.

    I will wait to see what might see from the combofix log beyond the "system 32 infection" issue.

    Thanks again for all your help.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, we need to replace a file- let's find a good copy first:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      userinit.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Run the above so I can use the good file to replace the infected one.
    ==============================================
    Taking the printer or any other process off of startup:

    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Forgot about your question for Administrative Rights:

    To take ownership and grant full control (or read write) permissions of files or folders in Windows Vista, follow the steps and the screen shots HERE
  15. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    SystemLook Log

    SystemLook 04.09.10 by jpshortstuff
    Log created at 23:20 on 15/01/2011 by Carrie
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "userinit.*"
    C:\Qoobox\Quarantine\C\Windows\System32\userinit.exe.vir --a---- 25088 bytes [02:25 21/01/2008] [02:25 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
    C:\Windows\ERDNT\cache\userinit.exe --a---- 25088 bytes [23:33 14/01/2011] [02:25 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
    C:\Windows\Prefetch\USERINIT.EXE-5114915C.pf --a---- 14728 bytes [14:29 22/12/2010] [12:47 14/01/2011] 5A2ACE7C7A36061A1BBE6ABE8769497B
    C:\Windows\System32\userinit.exe --a---- 25088 bytes [02:25 21/01/2008] [02:25 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
    C:\Windows\System32\en-US\userinit.exe.mui --a---- 4096 bytes [12:41 02/11/2006] [12:41 02/11/2006] F058F2BAE89E70B2A79D5EB820092EEB
    C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8db9e42fd56781f2\userinit.exe.mui --a---- 4096 bytes [12:41 02/11/2006] [12:41 02/11/2006] F058F2BAE89E70B2A79D5EB820092EEB
    C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --a---- 25088 bytes [02:25 21/01/2008] [02:25 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9

    -= EOF =-
  16. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    System Look Log

    Bobbye,

    I have posted the system look log. Is there anything else you need?

    Thanks for all your help,

    cashcab
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, thank you, I see that- yesterday was Sunday. I spent time with my family.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\UniBox210.ocx
    c:\windows\system32\UniBoxVB12.ocx
    c:\windows\system32\UniBox10.ocx
    
    Folder::
    c:\users\Carrie\AppData\Roaming\Uniblue
    c:\users\Carrie\AppData\Local\PackageAware
    c:\program files\DebugDiag
    c:\users\Carrie\DebugDiag.msi
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ECenter"=-
    FCopy::
    C:\Windows\ERDNT\cache\userinit.exe| c:\windows\system32\userinit.exe
                 
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please let me know how the system is doing now.
  18. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Combofix Log

    Prior to creating the log, combofix said it needed to check some files with malware. It attempted to connect to a site but was not able to do so. I will see if I can run this manually and post the log in another response. Here's the log without this. When it was running, it deleted a lot of files due to another infected system file.

    ComboFix 11-01-17.03 - Carrie 01/17/2011 19:26:40.3.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.921 [GMT -6:00]
    Running from: c:\users\Carrie\Desktop\ComboFix.exe
    Command switches used :: c:\users\Carrie\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    FILE ::
    "c:\windows\system32\UniBox10.ocx"
    "c:\windows\system32\UniBox210.ocx"
    "c:\windows\system32\UniBoxVB12.ocx"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\DebugDiag
    c:\program files\DebugDiag\config.xml
    c:\program files\DebugDiag\Logs\DbgSVC_Date__01_11_2011__Time_04_50_15PM__104__Log.txt
    c:\program files\DebugDiag\Logs\PerfLogs\PerfLog_Date__01_11_2011__Time_04_55_05PM__216.blg
    c:\program files\DebugDiag\ServiceState.xml
    c:\users\Carrie\AppData\Local\PackageAware
    c:\users\Carrie\AppData\Roaming\Uniblue
    c:\users\Carrie\AppData\Roaming\Uniblue\RegistryBooster\error.log
    c:\users\Carrie\AppData\Roaming\Uniblue\RegistryBooster\history\latest_scan_results.html
    c:\users\Carrie\AppData\Roaming\Uniblue\RegistryBooster\last_scan.dat
    c:\users\Carrie\AppData\Roaming\Uniblue\RegistryBooster\settings.dat
    c:\windows\system32\UniBox10.ocx
    c:\windows\system32\UniBox210.ocx

    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ERDNT\cache\userinit.exe

    .
    --------------- FCopy ---------------

    c:\windows\ERDNT\cache\userinit.exe --> c:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
    .

    2011-01-18 01:44 . 2011-01-18 01:44 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-15 03:26 . 2011-01-15 03:26 883488 ----a-w- c:\users\Carrie\JavaSetup6u23.exe
    2011-01-13 03:46 . 2011-01-13 03:49 296448 ----a-w- c:\users\Carrie\GMER.exe
    2011-01-13 02:55 . 2011-01-13 02:55 -------- d-----w- c:\users\Carrie\AppData\Roaming\Malwarebytes
    2011-01-13 02:54 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-13 02:53 . 2011-01-13 02:53 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-13 02:53 . 2011-01-13 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-13 02:53 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-13 01:16 . 2011-01-13 01:17 446464 ----a-w- c:\users\Carrie\TFC.exe
    2011-01-12 22:55 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 22:55 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-01-12 22:55 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-01-12 22:55 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-01-12 22:55 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-01-12 22:55 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-01-12 22:55 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2011-01-11 22:16 . 2011-01-11 22:16 5142528 ----a-w- c:\users\Carrie\DebugDiag.msi
    2011-01-06 18:58 . 2004-08-04 13:00 506368 ----a-w- c:\windows\system32\msxml.dll
    2011-01-06 18:18 . 2011-01-11 20:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2011-01-06 18:18 . 2011-01-06 18:18 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-01-06 18:18 . 2011-01-06 18:18 -------- d-----w- c:\program files\Symantec
    2011-01-06 18:17 . 2011-01-07 14:41 -------- d-----w- c:\windows\system32\drivers\NIS
    2011-01-06 18:17 . 2011-01-06 18:17 -------- d-----w- c:\program files\Norton Internet Security
    2011-01-06 04:16 . 2011-01-06 18:16 -------- d-----w- c:\program files\NortonInstaller
    2011-01-06 04:12 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D794A1D6-E553-42C6-A37E-92A614C642AD}\mpengine.dll
    2011-01-06 04:12 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-04 22:15 . 2011-01-04 22:15 -------- d-----w- c:\users\Carrie\advfn
    2010-12-22 21:21 . 2010-12-22 21:21 19396800 ----a-w- c:\users\Carrie\HP_Vista_PS_7150.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-15 03:35 . 2010-08-08 13:16 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-14 23:24 . 2008-08-07 22:10 0 ----a-w- c:\users\Carrie\AppData\Local\WavXMapDrive.bat
    2010-12-18 02:43 . 2010-12-18 02:43 45056 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\OptionsOracle.exe1_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43 . 2010-12-18 02:43 45056 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\OptionsOracle.exe_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-12-18 02:43 . 2010-12-18 02:43 45056 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\ARPPRODUCTICON.exe
    2010-12-18 02:43 . 2010-12-18 02:43 204800 ----a-r- c:\users\Carrie\AppData\Roaming\Microsoft\Installer\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}\OptionsOracle_Data_2C31929AD6AB4D0BABF94812A045CE97.exe
    2010-11-04 18:56 . 2010-12-14 22:57 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55 . 2010-12-14 22:57 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55 . 2010-12-14 22:57 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55 . 2010-12-14 22:57 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34 . 2010-12-14 22:57 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01 . 2010-12-14 22:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57 . 2010-12-14 22:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57 . 2010-12-14 22:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57 . 2010-12-14 22:56 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:57 . 2010-12-14 22:56 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:01 . 2010-12-14 22:56 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26 . 2010-12-14 22:56 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24 . 2010-12-14 22:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44 . 2010-12-14 22:57 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27 . 2010-12-14 22:57 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20 . 2010-12-14 22:56 2048 ----a-w- c:\windows\system32\tzres.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-01 68856]
    "PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-06-29 42392]
    "NortonUtilities"="c:\program files\Norton Utilities 14\RMTray.exe" [2009-09-14 279912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-26 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-31 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-31 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-31 133656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
    "Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-15 30192]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
    "dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
    "MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
    "Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "Bing Bar"="c:\program files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe" [2010-11-12 273672]
    "CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-11-21 283792]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-06-29 42392]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-1 50688]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
    2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 99568]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 135664]
    R3 CFcatchme;CFcatchme;c:\users\Carrie\AppData\Local\Temp\CFcatchme.sys [x]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-15 30192]
    R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
    R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
    R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
    R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 340016]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2010-11-23 691248]
    S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110114.002\IDSvix86.sys [2010-11-09 353912]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 136312]
    S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 330360]
    S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
    S2 BthFilterHelper;Bluetooth Feature Support;c:\program files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-07 127488]
    S2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe [2007-10-05 595184]
    S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-13 179712]
    S3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\DRIVERS\BthFilt.sys [2007-05-05 13824]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-01-06 102448]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 20:05]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 20:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://comcast.net/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Trusted Zone: intuit.com\ttlc
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-17 19:50
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WLANExt.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\windows\system32\PSIService.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\STacSV.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Dell\QuickSet\NicConfigSvc.exe
    c:\windows\system32\DllHost.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-17 20:20:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-18 02:20
    ComboFix2.txt 2011-01-14 23:54

    Pre-Run: 15,876,964,352 bytes free
    Post-Run: 15,883,575,296 bytes free

    - - End Of File - - B2407419CD17FED480266643A5478151
  19. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Bleeping Computer Submission

    OK, I was able to submit the "malware" file to bleeping computer for further analysis as instructed by Combofix although I have no idea what was submitted:

    File path ---> C:\Qoobox\Quarantine\[4]-Submit_2011-01-17_19.26.04.zip

    Unfortunately, after running the custom script, my CPU usage is back to 100% again. Any thoughts?

    Thanks,

    Cashcab
  20. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    One Other Bit of Info

    Bobbye,

    One other bit of info that may be useful is that when you first started helping me, my CPU usage jumped around from 25 to 100%. And, one thing I didn't mention because I thought it was a separate issue was that my "a" key wouldn't work consistently. My "a" key started to work the first time I ran the combofix. After running the customer code, my CPU usage is now fixed at 100%. It doesn't jump around anymore. When I am receive high CPU notification from my anti-virus program, the culprit is always internet explorer now where it used to vary in the past. I'm not sure if this is helpful but I thought I would share it in case it is. Thanks for your on going assistance.

    Cashcab
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm not sure what you did here or why you did it. Qoobox is where Combofix puts the quarantined files. It would not be something you had to submit anywhere for identification. I am not aware of Combofix ever telling someone they needed to submit a file! I would be the one to tell you to submit something and where to submit it.

    As for the a key, I doubt that has anything to do with malware. I had to replace the keyboard on a new Dell mini because the G key wouldn't work right!

    The only way you can determine anything about the CPU usage is to document what the high users are. If it's usually iexplore.exe now, it could be add-ons working in the background. I can't help you with that problem unless I know what the processes are and what you are doing at the time. Is this CPU usage slowing you down or are you just worried because it seems high?

    I'll be back after supper to check the Combofix log.
  22. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Combo-Fix

    Perhaps the request for submission is addition to the newest version of combo-fix. When I started the process last night, Combo-fix asked me if I wanted to download the most recent version since I wasn't using it. I said yes. Prior to creating the log, the submission occurred as I mentioned. I just followed the prompts. I do have a Qoobox file on my computer now.

    Today, my machine seems to be running fairly quickly. I have lost track of what's "normal" anymore since I have had this high CPU usage issue since September. It's certainly faster than it was prior to your help so thank you. Given that a number of files were deleted last night using the custom code I just want to make sure this issue is resolved so I don't encounter it again in the future. I was under the impression that we had elimininated the virus a few days earlier so I was surprised to see another one identified last night. That's my concern. I'm not sure if this is reflected in the log I sent but once you have a look, I am sure you can determine if I still have an issue.

    Thanks very much for your ongoing help, It is most appreciated.

    Cashcab
  23. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    CPU USage

    Bobbye,

    Today, CPU usage is so high that my machine "freezes." This is the same issue I had before. It appears that the big user is whatever I'm using at the time. For example, an active trader program wouldn't open this morning and I received notification from my anti-virus software of high CPU usage. I have resorted to working in "safe mode" all the time. Any ideas? I can't figure out why this seems to "come and go" with the same programs open.

    Thank you.
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, this should put your mind to rest:
    Specifically, the majority of the alerts you're getting from Norton are performance alerts, not malware alerts

    Your sensitivity threshold needs to be set higher as the lower it's set, the more alerts you'll get. The following are taken from comments in the Norton Community. I think the will help you set this better and not let it worry you any more:>>>>

    Allow Performance Monitoring Alerts to be Configured
    Please reset to High and let me know if you notice improvement.
  25. cashcab

    cashcab Newcomer, in training Topic Starter Posts: 21

    Thanks for this but I don't think it's the settings that is causing my machine to still run painfully slow. It was better for a day but with each passing day it gets slower and slower. The high CPU usage seems to vary depending upon what I am trying to use, sometimes it's internet explorer.exe, sometimes the trading software I use, etc. The main thing is that prior to getting the virus at the hotel in September, I was able to run whatever I wanted and I did not encounter this issue. Did you see anything in the last combofix log that could be causing this?

    Thanks very much,

    CashCab
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.