Solved Malware infection Hijack control panel style

[rubbersoul]

Hi folks,

Lately I've been having problems with laptop freezing and going very slow. I've done scans with MBAM and others and the one main infection was a Hijack.ControlPanelStyle, which I have deleted though keeps coming back.

I've had rootkit infections before and it seems similar to that though I'm not sure. Here are the following logs from MBAM quick and full, GMER DDS as requested.

Thanks for the help.

-----------------------------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.13.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Josh :: JOHN-53EAF8E1E1 [administrator]

Protection: Disabled

13/05/2012 4:35:38 PM
mbam-log-2012-05-13 (16-35-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201987
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


----------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.13.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Josh :: JOHN-53EAF8E1E1 [administrator]

Protection: Disabled

13/05/2012 4:44:18 PM
mbam-log-2012-05-13 (16-44-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281158
Time elapsed: 1 hour(s), 47 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

------------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-13 18:36:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01
Running: gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\uwncrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x9D993D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x9D993BC5]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Josh at 18:43:22 on 2012-05-13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2062 [GMT 10:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ActiveMultiwallpaper] c:\program files\activemultiwallpaper\Changer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80} : NameServer = 8.26.56.26,156.154.70.22
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SecurityProviders: schannel.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\josh\application data\mozilla\firefox\profiles\rs3txhg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [2010-4-4 327192]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-12 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-12 320856]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-12-30 103944]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-1-21 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-1-21 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-1-21 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-1-21 29464]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-12 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-12 44768]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-1-20 21992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-1-21 207936]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112648]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-1-21 4363040]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2011-12-8 5888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-29 22344]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-12-8 197224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-29 654408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-8 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-11-4 1691480]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-12-4 117504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S3 SageTV;SageTV;"c:\program files\sagetv\sagetv\sagetvservice.exe" --> c:\program files\sagetv\sagetv\SageTVService.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-12-8 13592]
.
=============== Created Last 30 ================
.
2012-05-09 15:19:27 -------- d-----w- c:\program files\CDisplay
2012-05-08 07:37:16 -------- d-----w- c:\documents and settings\josh\local settings\application data\Sun
2012-05-08 07:23:57 -------- d-----w- c:\windows\Performance
2012-05-08 07:23:37 -------- d-----w- c:\documents and settings\josh\local settings\application data\Microsoft Corporation
2012-05-08 07:22:08 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-05-08 07:09:58 -------- d-----w- c:\program files\Oracle
2012-05-08 07:07:51 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-08 07:05:07 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-08 06:46:37 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-05-08 05:52:25 -------- d-----w- c:\documents and settings\josh\application data\Ad-Aware Antivirus
2012-05-06 13:27:17 -------- d-----w- c:\documents and settings\josh\application data\Panda Security
2012-05-06 13:25:31 -------- d-----w- c:\program files\Panda Security
2012-05-06 13:25:31 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
2012-05-06 13:23:09 -------- d-----w- C:\temp
2012-05-06 09:26:45 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-05-06 08:59:03 -------- d-----w- c:\program files\Sophos
2012-05-06 03:20:13 -------- d-----w- c:\program files\MP4 to AVI
2012-05-06 03:17:50 -------- d-----w- c:\program files\hpmonitor
2012-05-06 03:17:35 17280 ----a-w- c:\windows\system32\roboot.exe
2012-05-06 03:17:26 -------- d-----w- c:\documents and settings\josh\application data\systweak
2012-05-06 03:11:53 -------- d-----w- c:\windows\RegisteredPackages
2012-04-28 16:40:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-16 14:44:39 54784 ----a-w- c:\windows\system32\brinsstr.dll
2012-04-16 14:44:24 34816 ------w- c:\windows\system32\BrWiaNCp.dll
2012-04-16 14:44:23 61952 ------w- c:\windows\system32\BrNetSti.dll
2012-04-16 14:44:23 37376 ------w- c:\windows\system32\Brnsplg.dll
2012-04-16 14:44:23 18944 ------w- c:\windows\system32\BrnStiCp.cpl
2012-04-16 14:44:22 9728 ------w- c:\windows\system32\BrSti07a.dll
2012-04-16 14:44:13 163840 ------w- c:\windows\system32\NSSearch.dll
2012-04-16 14:44:13 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2012-04-16 14:44:12 73728 ------w- c:\windows\system32\BRCrypt.dll
2012-04-16 14:44:12 61440 ------w- c:\windows\system32\BrMfNt.dll
2012-04-16 14:44:12 -------- d-----w- c:\program files\Brother
2012-04-16 14:44:11 131072 ------w- c:\windows\brunin03.dll
2012-04-16 14:43:32 -------- d-----w- c:\documents and settings\all users\application data\Brother
2012-04-16 10:27:36 -------- d-sh--w- c:\documents and settings\josh\IECompatCache
.
==================== Find3M ====================
.
2012-05-08 07:05:06 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 08:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 08:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-28 13:43:21 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 18:45:38.70 ===============

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware.

Hijack.ControlPanelStyle is not the infection. It's a policy change most likely set by the malware.

Is this the same system I helped you wil\th last year? You had Microsoft Security Essentials then Right? You have an interesting 'bunch' of security now!

Log header now shows:
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled*>> 2012-1-21

And you also have installed:
2012-05-06 >> Downloaded c:\program files\Sophos>> and ran the Sophos Virus Removal Tool
2012-05-06 >> Downloaded c:\program files\Panda Security
2012-05-08 >> Ran? c:\documents and settings\josh\application data\Ad-Aware Antivirus
2012-05-06 >> Ran Systweak Advanced System Optimizer> which is a registry cleaner

[SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
2012-05-06 13:23:09 -------- d-----w- C:\temp <<<< Mystery file
=============================================

There may be more. But you should have one antivirus program, one firewall, NO registry cleaner, 2 or more antimlware prograams okay, but only one Resident Real Time running like Tea Times.

Please clean up the system to get down to that> Reboot the system when finished.
===============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
============================================

To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
================================================

Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Adobe Reader Update
Java(TM) > Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.

Please leave Combofix and Eset scan logs in next reply.

Edit: Scan instructions have been redone due to parsing.

 

[rubbersoul]

Is this the same system I helped you wil\th last year? You had Microsoft Security Essentials then Right? You have an interesting 'bunch' of security now!

Hey thanks for the help. I think this is a new install but with the same os. Every 6 months or so I usually back everything up and do a fresh install.

I've followed your directions and deleted all the extra AV programs and stuff. Just Avast, OA and Mbam now. I couldn't find that registry editor though?

Here are the logs.

ComboFix 12-05-13.04 - Josh 14/05/2012 14:11:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2486 [GMT 10:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
C:\install.exe
c:\windows\system32\SET253.tmp
c:\windows\system32\SET26C.tmp
c:\windows\system32\SET26E.tmp
c:\windows\system32\SET27C.tmp
c:\windows\system32\SET299.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-14 to 2012-05-14 )))))))))))))))))))))))))))))))
.
.
2012-05-09 15:19 . 2012-05-09 15:19 -------- d-----w- c:\program files\CDisplay
2012-05-08 07:37 . 2012-05-08 07:37 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Sun
2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\windows\Performance
2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Microsoft Corporation
2012-05-08 07:22 . 2012-05-08 07:22 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-05-08 07:11 . 2012-05-08 07:11 -------- d-----w- c:\program files\Common Files\Java
2012-05-08 07:09 . 2012-05-08 07:09 -------- d-----w- c:\program files\Oracle
2012-05-08 07:07 . 2012-05-08 07:07 -------- d-----w- c:\documents and settings\Josh\Application Data\Oracle
2012-05-08 07:07 . 2012-04-04 08:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-08 07:05 . 2012-05-08 07:05 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-08 06:46 . 2012-05-08 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-05-08 05:52 . 2012-05-08 05:52 -------- d-----w- c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus
2012-05-06 13:27 . 2012-05-06 13:27 -------- d-----w- c:\documents and settings\Josh\Application Data\Panda Security
2012-05-06 13:25 . 2012-05-14 03:47 -------- d-----w- c:\program files\Panda Security
2012-05-06 13:25 . 2012-05-06 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2012-05-06 13:23 . 2012-05-06 13:25 -------- d-----w- C:\temp
2012-05-06 09:26 . 2012-05-06 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2012-05-06 03:20 . 2012-05-06 03:20 -------- d-----w- c:\program files\MP4 to AVI
2012-05-06 03:17 . 2012-05-10 18:18 -------- d-----w- c:\program files\hpmonitor
2012-05-06 03:17 . 2012-01-20 04:14 17280 ----a-w- c:\windows\system32\roboot.exe
2012-05-06 03:17 . 2012-05-06 05:23 -------- d-----w- c:\documents and settings\Josh\Application Data\systweak
2012-04-28 16:40 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-16 14:44 . 2007-01-26 06:13 54784 ----a-w- c:\windows\system32\brinsstr.dll
2012-04-16 14:44 . 2007-01-26 05:06 34816 ------w- c:\windows\system32\BrWiaNCp.dll
2012-04-16 14:44 . 2007-02-06 09:50 61952 ------w- c:\windows\system32\BrNetSti.dll
2012-04-16 14:44 . 2007-01-26 05:05 18944 ------w- c:\windows\system32\BrnStiCp.cpl
2012-04-16 14:44 . 2006-12-26 09:39 37376 ------w- c:\windows\system32\Brnsplg.dll
2012-04-16 14:44 . 2006-11-20 10:48 9728 ------w- c:\windows\system32\BrSti07a.dll
2012-04-16 14:44 . 2007-01-18 03:51 163840 ------w- c:\windows\system32\NSSearch.dll
2012-04-16 14:44 . 2002-11-26 03:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2012-04-16 14:44 . 2012-04-16 15:03 -------- d-----w- c:\program files\Brother
2012-04-16 14:44 . 2007-04-27 07:13 61440 ------w- c:\windows\system32\BrMfNt.dll
2012-04-16 14:44 . 2006-07-07 02:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2012-04-16 14:44 . 2007-02-15 03:54 131072 ------w- c:\windows\brunin03.dll
2012-04-16 14:43 . 2012-04-16 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2012-04-16 10:27 . 2012-04-16 10:27 -------- d-sh--w- c:\documents and settings\Josh\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 07:05 . 2011-11-25 08:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2010-04-03 15:46 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2010-04-03 15:47 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2009-12-08 18:43 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 08:47 . 2011-12-08 03:49 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 08:47 . 2011-12-08 03:49 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-28 13:43 . 2012-03-28 13:43 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-01 11:01 . 2010-04-03 15:50 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2010-04-03 15:50 385024 ------w- c:\windows\system32\html.iec
2012-02-19 01:18 . 2012-02-19 01:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll
.
[-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 19:45 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-12-19 20:46 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-12-29 3462552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"RTHDCPL"="RTHDCPL.EXE" [2011-10-14 20064872]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-11-01 2531104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-04-03 128512]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-11-01 358840]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ------r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ------w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
2011-10-17 04:12 284440 ------w- c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 01:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-08-13 23:20 1343488 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
2009-06-10 00:05 368640 ------w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"IAStorDataMgrSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
.
R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 3:03 AM 327192]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/11/2011 11:10 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/11/2011 11:10 PM 320856]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [30/12/2011 12:35 AM 103944]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [21/01/2012 1:00 PM 205864]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [21/01/2012 1:00 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [21/01/2012 1:00 PM 29464]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2011 11:10 PM 20568]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [20/01/2012 12:56 AM 21992]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/04/2012 2:42 AM 654408]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [21/01/2012 1:00 PM 207936]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [4/12/2011 4:16 PM 117504]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/12/2011 5:01 PM 5888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/04/2012 2:40 AM 22344]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/12/2011 5:11 PM 197224]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [21/01/2012 1:00 PM 40296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [21/01/2012 1:00 PM 4363040]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/05/2012 5:05 PM 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/11/2011 7:51 PM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
S3 SageTV;SageTV;"c:\program files\SageTV\SageTV\SageTVService.exe" --> c:\program files\SageTV\SageTV\SageTVService.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 PM 753504]
S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [8/12/2011 5:06 PM 13592]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 07:05]
.
2012-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
.
2012-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.231.203.132 192.231.203.3
TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\rs3txhg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-SageTV - c:\program files\SageTV\SageTV\SageTV.exe
HKCU-Run-ActiveMultiwallpaper - c:\program files\ActiveMultiwallpaper\Changer.exe
MSConfigStartUp-LClock - c:\program files\LClock\LClock.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-14 14:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):dd,e0,08,ad,41,17,d5,b6,6f,94,59,8c,d7,7c,eb,35,84,4d,35,a8,58,
d8,ed,e9,14,00,d2,91,aa,69,47,8f,f3,dc,b9,14,43,c1,2e,08,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{db97409d-dda6-40f8-ae74-1137eff9b27c}]
@Denied: (Full) (Everyone)
"Model"=dword:00000083
"Therad"=dword:00000010
.
Completion time: 2012-05-14 14:26:45
ComboFix-quarantined-files.txt 2012-05-14 04:26
.
Pre-Run: 47,314,944,000 bytes free
Post-Run: 47,599,636,480 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 2A3FD83E846FAB393556388ACC779B60

----------------------------------------------------------------------------------------

ESET

C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url Win32/Adware.ADON application
C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe a variant of Win32/InstallCore.D application

 

[rubbersoul]

bump

 

[Bobbye]

Every 6 months or so I usually back everything up and do a fresh install.

Why do you do that?

 

[rubbersoul]

Why do you do that?

It's not really a structured thing, just for as a method of keeping things fresh I suppose.

What do you think about the above logs? Any reason why the text is scrambled?

 

[Bobbye]

Wow- something caused the Combofix and Eset directions to parse! Hope you got through the reading.

For the Eset entries:
Please download OTMovit by Old Timerand save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files
  C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url 
  C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe 
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
--------------------------------------------------------

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
FileLook::
c:\windows\system32\usp10.dll
c:\windows\system32\sfcfiles.dll
DDS::
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
 
Folder::
C:\temp
c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus
c:\documents and settings\Josh\Application Data\Panda Security
c:\program files\Panda Security
c:\documents and settings\All Users\Application Data\Panda Security
c:\documents and settings\All Users\Application Data\Sophos
c:\documents and settings\Josh\Application Data\systweak
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{db97409d-dda6-40f8-ae74-1137eff9b27c}]
 
Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.

Please update the following:
Adobe Reader > to the current version> Adobe Reader Update
Java(TM) > to the current version> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.


Edit: scrmbled text was on this end, not from your system. Sometimes running the Google Spell check will do it.

 

[rubbersoul]

Edit: scrmbled text was on this end, not from your system. Sometimes running the Google Spell check will do it.

Ah cool, I wasn't aware of that feature!

Following logs as requested:


All processes killed
========== FILES ==========
C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url moved successfully.
C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe moved successfully.
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe moved successfully.
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe moved successfully.
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe moved successfully.
C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe moved successfully.
File/Folder [purity] not found.
File/Folder [emptytemp] not found.
File/Folder [start explorer] not found.
File/Folder [Reboot] not found.

OTM by OldTimer - Version 3.1.19.0 log created on 05172012_013701

ComboFix 12-05-13.04 - Josh 17/05/2012 1:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2469 [GMT 10:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Panda Security
c:\documents and settings\All Users\Application Data\Sophos
c:\documents and settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus
c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus\Installer.xml
c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus\update-parameters.xml
c:\documents and settings\Josh\Application Data\Panda Security
c:\documents and settings\Josh\Application Data\systweak
c:\program files\Panda Security
C:\temp
c:\temp\CloudAvBootstrap.xml
c:\temp\CloudAvBootstrap.xml.Result
c:\windows\system32\roboot.exe
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))
.
.
2012-05-16 15:37 . 2012-05-16 15:37 -------- d-----w- C:\_OTM
2012-05-14 04:32 . 2012-05-14 04:32 -------- d-----w- c:\program files\ESET
2012-05-09 15:19 . 2012-05-09 15:19 -------- d-----w- c:\program files\CDisplay
2012-05-08 07:37 . 2012-05-08 07:37 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Sun
2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\windows\Performance
2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Microsoft Corporation
2012-05-08 07:22 . 2012-05-08 07:22 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-05-08 07:11 . 2012-05-08 07:11 -------- d-----w- c:\program files\Common Files\Java
2012-05-08 07:09 . 2012-05-08 07:09 -------- d-----w- c:\program files\Oracle
2012-05-08 07:07 . 2012-05-08 07:07 -------- d-----w- c:\documents and settings\Josh\Application Data\Oracle
2012-05-08 07:07 . 2012-04-04 08:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-08 07:05 . 2012-05-08 07:05 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-08 06:46 . 2012-05-08 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-05-06 03:20 . 2012-05-06 03:20 -------- d-----w- c:\program files\MP4 to AVI
2012-05-06 03:17 . 2012-05-10 18:18 -------- d-----w- c:\program files\hpmonitor
2012-04-28 16:40 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 07:05 . 2011-11-25 08:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2010-04-03 15:46 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2010-04-03 15:47 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2009-12-08 18:43 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 08:47 . 2011-12-08 03:49 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 08:47 . 2011-12-08 03:49 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-28 13:43 . 2012-03-28 13:43 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-01 11:01 . 2010-04-03 15:50 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2010-04-03 15:50 385024 ------w- c:\windows\system32\html.iec
2012-02-19 01:18 . 2012-02-19 01:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\sfcfiles.dll ---
Company: Microsoft Corporation
File Description: Windows 2000 System File Checker
File Version: 5.1.2600.5512 (xpsp.080413-2111)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename:
File size: 1614848
Created time: 2010-04-03 16:08
Modified time: 2010-04-03 16:08
MD5: F2DF0FDBD41B34112EE05ED04258F052
SHA1: 2CB9068D136F7D997C23D65B375F4CEFF176A1DF
.
.
--- c:\windows\system32\usp10.dll ---
Company: Microsoft Corporation
File Description: Uniscribe Unicode script processor
File Version: 1.0626.6002.18005 (lh_sp2rtm.090410-1830)
Product Name: Microsoft(R) Uniscribe Unicode script processor
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: Uniscribe
File size: 502272
Created time: 2010-04-03 15:52
Modified time: 2010-04-03 15:52
MD5: 5A8E28037289FCCBF7AD3FC57DF7048F
SHA1: 72023966662046D78A7F38C78548BEE1E42ACA75
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll
.
[-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 19:45 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-05-14 3478936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"RTHDCPL"="RTHDCPL.EXE" [2011-10-14 20064872]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-11-01 2531104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-04-03 128512]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-11-01 358840]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 00:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ------w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
2011-10-17 04:12 284440 ------w- c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 01:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-08-13 23:20 1343488 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
2009-06-10 00:05 368640 ------w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"IAStorDataMgrSvc"=2 (0x2)
.
R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 3:03 AM 327192]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/11/2011 11:10 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/11/2011 11:10 PM 320856]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [16/03/2012 9:08 PM 104456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [21/01/2012 1:00 PM 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [21/01/2012 1:00 PM 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [21/01/2012 1:00 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [21/01/2012 1:00 PM 29464]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2011 11:10 PM 20568]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [20/01/2012 12:56 AM 21992]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/04/2012 2:42 AM 654408]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [21/01/2012 1:00 PM 207936]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [21/01/2012 1:00 PM 4363040]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [4/12/2011 4:16 PM 117504]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/12/2011 5:01 PM 5888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/04/2012 2:40 AM 22344]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/12/2011 5:11 PM 197224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/05/2012 5:05 PM 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/11/2011 7:51 PM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
S3 SageTV;SageTV;"c:\program files\SageTV\SageTV\SageTVService.exe" --> c:\program files\SageTV\SageTV\SageTVService.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 PM 753504]
S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [8/12/2011 5:06 PM 13592]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 07:05]
.
2012-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
.
2012-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\rs3txhg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-17 02:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-05-17 02:23:08
ComboFix-quarantined-files.txt 2012-05-16 16:22
ComboFix2.txt 2012-05-14 04:26
.
Pre-Run: 42,778,320,896 bytes free
Post-Run: 42,772,160,512 bytes free
.
- - End Of File - - 5414CBB48831CA851EA825B91D7D8F83

 

[Bobbye]

Please run OTM again:

Please download OTMovit by Old Timerand save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files
  C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url 
  C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
  C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------------------------------
It may not show any entries for processes but the Commands shouldn't come out like that.

I'll be back in a bit to check Combofix.

 

[Bobbye]

Combofix looks okay. Give me an update on the system.

 

[rubbersoul]

All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url not found.
File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe not found.
File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe not found.
File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe not found.
File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe not found.
File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 2238556 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 2238556 bytes

User: Josh
->Temp folder emptied: 273774 bytes
->Temporary Internet Files folder emptied: 327974 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 855837065 bytes
->Flash cache emptied: 7033 bytes

User: LocalService
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402797 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 8231936 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 439 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 82654 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 831.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 05172012_141236

 

[rubbersoul]

Combofix looks okay. Give me an update on the system.

You mean virus/ freezing wise? I haven't noticed any freezing/ much slowing down in the last day

 

[Bobbye]

Do you see the difference in the OTM loigs? I note OTM Total Files Cleaned = 831.00 mb. That's a lot of excess files to be carrying around! Set up some regular maintenance and stick to it.

The problems you gave were laptop freezing and going very slow and Hijack.ControlPanelStyle. You said the former was resolved and the latter is a policy setting. Is there anything else?

The Attach.txt log from DDS is missing. Check and see if it's on the system and paste it in please.

 

[rubbersoul]

Do you see the difference in the OTM loigs? I note OTM Total Files Cleaned = 831.00 mb. That's a lot of excess files to be carrying around! Set up some regular maintenance and stick to it.

The problems you gave were laptop freezing and going very slow and Hijack.ControlPanelStyle. You said the former was resolved and the latter is a policy setting. Is there anything else?

The Attach.txt log from DDS is missing. Check and see if it's on the system and paste it in please.

I have just reduced the Firefox cache down to 50mb. Is there anything else in particular I should be looking at to clean up?

It has frozen a couple times since my last post. I'm running a new scan on MBAM and I will do a defrag tonight and see how it goes.

I can't find the Attach.txt, it must of been deleted. Would you like me to do another scan?

Thanks

 

[Bobbye]

Unless you turn up something new, the malware has been handled. You have an entire operating system with many potentials for freezing besides malware. If the freezing continues, please start a new thread in the BSOD forum.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
• Choose Disc Cleanup
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
======================================

Be sure you do the updates I left for you. Run the following after the cleanup:

Run this once in a while so the files don't pile up:TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

 

[rubbersoul]

Done and done. Thanks for all your help! Much obliged

 

[Bobbye]

You're very welcome. Stay safe!