TechSpot

No Control Panel, can't double-click, IE not working

By WonkoTheSane
Aug 3, 2012
  1. Hey all,

    Got infected a few days ago, and since then IE will not work. The window comes up, but soon becomes unresponsive. Chrome and Firefox both work, though. Also, I can't click on any of the desktop shortcuts to open. I have to first right-click, then select open. Same for any programs in the Start menu. Have to right-click and select open. Using right-click and open to access Control Panel doesn't work, however.

    No idea what else might not be working right.

    I'd previously run Malwarebytes, AVG, and Avast. They all found and removed some problems for me, but still having the above issues.

    Any help would be greatly appreciated, and thanks for your time.

    Requested logs coming next.
     
  2. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Malwarebytes log...


    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.03.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Chris :: VADER [administrator]

    8/3/2012 1:00:05 PM
    mbam-log-2012-08-03 (13-00-05).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 246302
    Time elapsed: 5 minute(s), 48 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKCR\Interface\{77777777-7777-7777-7777-770077467739} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{44444444-4444-4444-4444-440044464439} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  3. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    GMER log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-08-03 16:13:02
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3320620AS rev.3.AAE
    Running: 06t0d20b.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\kxtdypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB3FFC162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB3FFBFCD]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
     
  4. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    DDS log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Chris at 16:16:28 on 2012-08-03
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3198.2435 [GMT -5:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Free Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\DefaultTab\DefaultTabSearch.exe
    C:\Documents and Settings\Chris\Application Data\DefaultTab\DefaultTab\DTUpdate.exe
    C:\WINDOWS\system32\nvsvc32.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
    C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uURLSearchHooks: H - No File
    uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Qwiklinx: {3e7c8b5a-96ab-438f-bf9b-782400655440} - c:\documents and settings\chris\application data\qwiklinx\Qwiklinx.dll
    BHO: IE.PerformancePack: {7adefb8e-b723-45e6-86e2-2b7841f5d6a5} - mscoree.dll
    BHO: DefaultTab Browser Helper: {7f6afbf1-e065-4627-a2fd-810366367d01} - c:\documents and settings\chris\application data\defaulttab\defaulttab\DefaultTabBHO.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\search~1\datamngr\toolbar\searchqudtx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\search~1\datamngr\toolbar\searchqudtx.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    mRun: [IntelAudioStudio] "c:\program files\intel audio studio\INTELAUDIOSTUDIO.exe" BOOT
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
    mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228095759578
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
    TCP: Interfaces\{BF20EB66-0D38-4EE8-811C-6C96562BAAE1} : DhcpNameServer = 65.32.5.111 65.32.5.112
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = :\WINDOW scecli
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-7-31 721000]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-7-31 353688]
    R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-11-9 525840]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-7-31 21256]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-7-31 44808]
    R2 DefaultTabSearch;DefaultTabSearch;c:\program files\defaulttab\DefaultTabSearch.exe [2012-5-18 563200]
    R2 DefaultTabUpdate;DefaultTabUpdate;c:\documents and settings\chris\application data\defaulttab\defaulttab\DTUpdate.exe [2012-7-31 107520]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
    R2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files\daodb\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-2-27 2348352]
    R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-12-29 123712]
    S3 bfastfao;bfastfao;\??\c:\docume~1\chris\locals~1\temp\bfastfao.sys --> c:\docume~1\chris\locals~1\temp\bfastfao.sys [?]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-7-16 25832]
    .
    =============== Created Last 30 ================
    .
    2012-08-03 06:32:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-03 06:32:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-08-02 05:56:49 -------- d-----w- c:\documents and settings\chris\local settings\application data\visi_coupon
    2012-08-01 04:11:07 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-08-01 04:10:38 41224 ----a-w- c:\windows\avastSS.scr
    2012-08-01 04:10:13 -------- d-----w- c:\program files\AVAST Software
    2012-08-01 04:10:13 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2012-07-31 05:41:49 -------- d-----w- c:\program files\Qwiklinx
    2012-07-31 05:41:49 -------- d-----w- c:\documents and settings\chris\application data\Qwiklinx
    2012-07-31 05:41:39 -------- d-----w- c:\documents and settings\chris\local settings\application data\SavingsApp
    2012-07-31 05:41:36 -------- d-----w- c:\program files\SavingsApp
    2012-07-31 05:41:11 -------- d-----w- c:\program files\DefaultTab
    2012-07-31 05:41:03 -------- d-----w- c:\documents and settings\chris\application data\DefaultTab
    2012-07-12 04:46:32 -------- d-----w- c:\program files\Gardenscapes - Mansion Makeover
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 16:17:36.45 ===============
     
  5. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Attach.log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/30/2008 7:06:22 PM
    System Uptime: 8/3/2012 12:23:44 PM (4 hours ago)
    .
    Motherboard: Intel Corporation | | D915PBL
    Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | J2E1 | 3400/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 298 GiB total, 74.105 GiB free.
    D: is CDROM (UDF)
    F: is FIXED (NTFS) - 1863 GiB total, 1148.156 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&2D2D400&0
    Manufacturer: (Standard keyboards)
    Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&2D2D400&0
    Service: i8042prt
    .
    Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
    Description: Canon MP970 ser Network
    Device ID: ROOT\CANON_IJ_NETWORK\0000
    Manufacturer: Canon
    Name: Canon MP970 ser Network
    PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
    Service: StillCam
    .
    ==== System Restore Points ===================
    .
    RP778: 5/5/2012 12:15:25 PM - System Checkpoint
    RP779: 5/7/2012 9:28:54 PM - System Checkpoint
    RP780: 5/8/2012 10:50:15 PM - System Checkpoint
    RP781: 5/8/2012 11:39:28 PM - Avg Update
    RP782: 5/10/2012 12:34:41 AM - System Checkpoint
    RP783: 5/11/2012 1:53:09 AM - System Checkpoint
    RP784: 5/12/2012 8:08:00 PM - System Checkpoint
    RP785: 5/17/2012 7:51:11 PM - System Checkpoint
    RP786: 5/19/2012 8:03:46 PM - System Checkpoint
    RP787: 5/20/2012 11:06:27 PM - System Checkpoint
    RP788: 5/22/2012 7:29:49 AM - System Checkpoint
    RP789: 5/24/2012 1:33:02 AM - System Checkpoint
    RP790: 5/29/2012 8:52:51 PM - System Checkpoint
    RP791: 6/1/2012 11:46:55 PM - Avg Update
    RP792: 6/4/2012 6:03:17 PM - System Checkpoint
    RP793: 6/6/2012 11:51:06 AM - System Checkpoint
    RP794: 6/7/2012 12:08:36 AM - Avg Update
    RP795: 6/10/2012 6:06:35 PM - System Checkpoint
    RP796: 6/11/2012 7:04:29 PM - System Checkpoint
    RP797: 6/12/2012 7:34:41 PM - System Checkpoint
    RP798: 6/18/2012 1:46:00 PM - System Checkpoint
    RP799: 6/22/2012 5:46:47 PM - System Checkpoint
    RP800: 6/23/2012 9:13:27 PM - System Checkpoint
    RP801: 6/24/2012 9:44:19 PM - System Checkpoint
    RP802: 6/28/2012 6:06:57 PM - System Checkpoint
    RP803: 6/29/2012 1:48:31 AM - Avg Update
    RP804: 6/30/2012 12:41:24 PM - System Checkpoint
    RP805: 7/5/2012 8:02:13 PM - System Checkpoint
    RP806: 7/10/2012 1:42:49 AM - System Checkpoint
    RP807: 7/11/2012 7:17:45 PM - System Checkpoint
    RP808: 7/12/2012 10:34:59 PM - System Checkpoint
    RP809: 7/16/2012 9:08:04 PM - System Checkpoint
    RP810: 7/17/2012 11:43:54 PM - System Checkpoint
    RP811: 7/28/2012 6:21:11 PM - System Checkpoint
    RP812: 7/30/2012 2:38:55 PM - System Checkpoint
    RP813: 7/31/2012 11:10:13 PM - avast! Free Antivirus Setup
    RP814: 8/1/2012 11:19:15 PM - Removed AVG Free 9.0
    RP815: 8/1/2012 11:21:03 PM - Installed AVG Free 9.0
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.0
    Amazon MP3 Downloader 1.0.15
    Amnesia: The Dark Descent
    Apple Software Update
    ArcSoft PhotoStudio 5.5
    Audacity 1.2.6
    Audiosurf Demo
    AutoUpdate
    avast! Free Antivirus
    Big Fish Games: Game Manager
    Blood Bowl: Dark Elves Edition
    Blood Bowl: Legendary Edition
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MP Navigator EX 1.0
    Canon MP970 series
    Canon MP970 series User Registration
    Canon My Printer
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities Solution Menu
    CeRegEditor 0.0.4.4
    Cities XL - Limited Edition
    Cities XL 2011
    Cities XL 2012
    City Life 2008
    Crazy Machines
    Critical Update for Windows Media Player 11 (KB959772)
    DefaultTab
    DefaultTab Chrome
    Dev-C++ 5 beta 9 release (4.9.9.2)
    Divinity II - The Dragon Knight Saga
    DivX Codec
    Dragon Age: Origins
    Dragon Age: Origins - Awakening
    Dragon Age: Origins Character Creator
    EA Download Manager
    Ease Audio Converter 4.80
    Fallout: New Vegas
    FLV Player 2.0 (build 25)
    Full Tilt Poker
    GameCenter
    GameSpy Arcade
    Gardenscapes
    Gardenscapes: Mansion Makeover™
    Google Chrome
    Green Moon
    H&R Block Alabama 2009
    H&R Block Alabama 2010
    H&R Block Deluxe + Efile + State 2009
    H&R Block Deluxe + Efile + State 2010
    High Definition Audio Driver Package - KB835221
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    Intel(R) Desktop Control Center
    Intel(R) PRO Network Adapters and Drivers
    Intel® Audio Studio
    Java Auto Updater
    Java(TM) 6 Update 24
    Just Cause
    K-Lite Codec Pack 6.8.0 (Full)
    Malwarebytes Anti-Malware version 1.62.0.1300
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliType Pro 6.3
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (BWDATOOLSET)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Windows Theme Nunavut
    Microsoft WorldWide Telescope
    Microsoft WSE 3.0 Runtime
    Mobipocket Reader 6.2
    Mozilla Firefox 8.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    MSXML 6.0 Parser
    Mystery P.I. - The Lottery Ticket 1.0.0.5
    NVIDIA Control Panel 295.73
    NVIDIA Display Control Panel
    NVIDIA Graphics Driver 295.73
    NVIDIA HD Audio Driver 1.3.12.0
    NVIDIA Install Application
    NVIDIA nView 136.18
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.12.0209
    NVIDIA Update 1.7.11
    NVIDIA Update Components
    Pando Media Booster
    Penumbra: Black Plague
    Penumbra: Overture
    Penumbra: Requiem
    Pioneer Lands
    Plants vs. Zombies: Game of the Year
    Portal
    Pro Cycling Manager Season 2008
    QuickTime
    Qwiklinx
    RealPlayer
    Realtek High Definition Audio Driver
    RIFT
    Royal Envoy Collector's Edition
    Runaway: A Road Adventure
    Runaway: A Twist of Fate
    Runaway: The Dream of the Turtle
    ScanSoft OmniPage SE 4
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Shattered Horizon
    Silverfall
    Space Quest 1+2+3
    Star Trek Online
    Star Wars: The Old Republic
    StarChef Standard
    StarCraft
    Steam
    Stronghold
    System Requirements Lab
    Tales of Monkey Island - Lair of the Leviathan
    Tales of Monkey Island - Launch of the Screaming Narwhal
    Tales of Monkey Island - Rise of the Pirate God
    Tales of Monkey Island - The Siege of Spinner Cay
    Tales of Monkey Island - The Trial and Execution of Guybrush Threepwood
    TaxCut Alabama 2008
    TaxCut Premium + State + Efile 2008
    The Elder Scrolls III: Morrowind
    The Next BIG Thing
    The Right Track (R) Software
    The Sims™ 3
    The Sims™ 3 Ambitions
    The Sims™ 3 Create a World Tool - Beta
    The Sims™ 3 World Adventures
    The Witch and The Warrior
    TRAUMA
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC 9.0 Runtime
    Wallace and Gromits Grand Adventures - Fright of the Bumblebees
    Wallace and Gromits Grand Adventures - Muzzled!
    Wallace and Gromits Grand Adventures - The Bogey Man
    Wallace and Gromits Grand Adventures - The Last Resort
    Warcraft III
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Mobile® Device Handbook
    Windows XP Service Pack 3
    Works Suite OS Pack
    XMLinst
    Yahoo! Detect
    Yahoo! Software Update
    Yahoo! Toolbar
    ZoneAlarm Firewall
    ZoneAlarm Free
    ZoneAlarm Security
    ZoneAlarm Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/1/2012 11:57:02 AM, error: Service Control Manager [7024] - The SQL Server (BWDATOOLSET) service terminated with service-specific error 1814 (0x716).
    8/1/2012 10:51:10 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSnx aswSP aswTdi AvgLdx86 AvgMfx86 Fips intelppm
    8/1/2012 10:50:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/31/2012 10:07:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    7/28/2012 5:45:09 PM, error: Print [6161] - The document statement[1].pdf owned by Chris failed to print on printer Canon MP970 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 1572864. Number of bytes printed: 465920. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\VADER. Win32 error code returned by the print processor: 13 (0xd).
    .
    ==== End Of File ===========================
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  7. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Thanks for assisting me, DragonMasterJay.

    Ran Combofix as requested. Everything ran as you described, but I do not see a "Combo-Fix.txt" file in C:\.

    There is an icon labeled "ComboFix" that looks like the "My Computer" icon. Looking at the properties, it says it is a folder. Inside the folder are the exact same items as in "My Computer", only the folder is named "ComboFix" Inside that folder you can open "C:\" which has another folder "ComboFix" in it which again has the same contents as "My Computer." You can keep following this recursive loop of folders seemingly forever, and have multiple "ComboFix" and "C:\" folders open.

    Is this normal?
     
  8. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Disregard last post. Saw in another post reference to getting stuck at Combo-Fix will now reboot your machine" etc. I never got that. The machine just rebooted. Figuring the machine had crashed, I re-ran ComboFix. Everything worked right this time, and the "ComboFix" folder I mentioned before is gone.

    Here's the log.

    ComboFix 12-07-31.06 - Chris 08/03/2012 18:43:52.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3198.2630 [GMT -5:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Chris\Application Data\Adobe\plugs
    c:\documents and settings\Chris\Application Data\Adobe\shed
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\addon.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\amazon_ie.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\bing.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\DefaultTabStart.exe
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\DefaultTabWrap.dll
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\DT.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\DTUpdate.exe
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\facebook_ie.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\google.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\search_here_ie.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\searchhere.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\twitter_ie.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\uninstalldt.exe
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\wikipedia_ie.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\yahoo.ico
    c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\youtube_ie.ico
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome.manifest
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\background.html
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\browser.xul
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\crossrider.js
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\crossriderapi.js
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\dialog.js
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\options.js
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\options.xul
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\search_dialog.xul
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\chrome\content\update.html
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\defaults\preferences\prefs.js
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\install.rdf
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\locale\en-US\translations.dtd
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\button1.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\button2.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\button3.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\button4.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\button5.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\crossrider_statusbar.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\icon128.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\icon16.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\icon24.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\icon48.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\panelarrow-up.png
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\popup.css
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\popup.html
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\popup_binding.xml
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\skin.css
    c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\361jeeys.default\extensions\crossriderapp4639@crossrider.com\skin\update.css
    c:\documents and settings\Chris\Application Data\Qwiklinx\QwIKlinx.dll
    c:\documents and settings\Chris\My Documents\ShopToWin
    c:\documents and settings\Chris\Start Menu\178.lnk
    c:\documents and settings\Chris\WINDOWS
    c:\program files\SavingsApp
    c:\program files\SavingsApp\SavingsApp.ico
    c:\windows\system32\SET4A.tmp
    c:\windows\system32\SET4D.tmp
    c:\windows\system32\SET51.tmp
    c:\windows\system32\SET59.tmp
    c:\windows\system32\SET5B.tmp
    c:\windows\system32\SET9C.tmp
    c:\windows\system32\SET9E.tmp
    c:\windows\system32\SETA0.tmp
    c:\windows\system32\SETA1.tmp
    F:\install.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_SSHNAS
    -------\Legacy_DefaultTabUpdate
    -------\Legacy_DefaultTabUpdate
    -------\Service_DefaultTabUpdate
    -------\Service_DefaultTabUpdate
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-03 06:32 . 2012-08-03 06:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-08-03 06:32 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-02 05:56 . 2012-08-02 05:56 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\visi_coupon
    2012-08-02 03:51 . 2012-08-02 03:51 -------- d-----w- c:\documents and settings\Administrator.VADER.000\Local Settings\Application Data\Mozilla
    2012-08-01 04:11 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-08-01 04:11 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-08-01 04:11 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-08-01 04:11 . 2012-07-03 16:21 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-08-01 04:11 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-08-01 04:11 . 2012-07-03 16:21 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-08-01 04:11 . 2012-07-03 16:21 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-08-01 04:11 . 2012-07-03 16:21 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-08-01 04:10 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
    2012-08-01 04:10 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
    2012-08-01 04:10 . 2012-08-01 04:10 -------- d-----w- c:\program files\AVAST Software
    2012-08-01 04:10 . 2012-08-01 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-07-31 05:41 . 2012-08-03 23:57 -------- d-----w- c:\documents and settings\Chris\Application Data\Qwiklinx
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-----w- c:\program files\Qwiklinx
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\SavingsApp
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-----w- c:\program files\DefaultTab
    2012-07-31 05:41 . 2012-08-03 23:58 -------- d-----w- c:\documents and settings\Chris\Application Data\DefaultTab
    2012-07-31 05:40 . 2012-07-31 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2012-07-31 05:40 . 2012-07-31 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2012-07-12 04:46 . 2012-07-12 04:47 -------- d-----w- c:\program files\Gardenscapes - Mansion Makeover
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-21 04:04 . 2011-12-12 07:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-03-21 1523512]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\INTELAUDIOSTUDIO.exe" [2004-06-20 6828032]
    "SoundMan"="SOUNDMAN.EXE" [2004-06-17 69632]
    "AlcWzrd"="ALCWZRD.EXE" [2004-06-17 2550272]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-04 198160]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
    "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-10 15494464]
    "NvMediaCenter"="NvMCTray.dll" [2012-02-10 108352]
    "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-10 1634112]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-09-01 03:34 136176 ----atw- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2012-02-10 03:04 15494464 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2012-02-10 04:10 1634112 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-10-29 19:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
    "c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\DragonAgeToolset.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\RPU.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\lightmapper\\eclipseRay.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\GffEditor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\ErfEditor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\shattered_horizon\\client_exe\\shattered_horizon.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "57752:TCP"= 57752:TCP:pando Media Booster
    "57752:UDP"= 57752:UDP:pando Media Booster
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/31/2012 11:11 PM 721000]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/31/2012 11:11 PM 353688]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/31/2012 11:11 PM 21256]
    R2 DefaultTabSearch;DefaultTabSearch;c:\program files\DefaultTab\DefaultTabSearch.exe [5/18/2012 4:00 AM 563200]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280]
    R2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 7:29 PM 29293408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2/27/2012 11:11 PM 2348352]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/29/2011 9:18 PM 123712]
    S3 bfastfao;bfastfao;\??\c:\docume~1\Chris\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Chris\LOCALS~1\Temp\bfastfao.sys [?]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [7/16/2010 2:00 PM 25832]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    2012-08-04 c:\windows\Tasks\avast! Emergency Update.job
    - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-08-01 16:21]
    .
    2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-583907252-682003330-1003Core.job
    - c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 03:34]
    .
    2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-583907252-682003330-1003UA.job
    - c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 03:34]
    .
    2012-08-03 c:\windows\Tasks\User_Feed_Synchronization-{859C40AD-15BA-44EC-919C-A902C727BC80}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Toolbar-Locked - (no file)
    Toolbar-10 - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    SafeBoot-09756421.sys
    AddRemove-DefaultTab - c:\documents and settings\Chris\Application Data\DefaultTab\DefaultTab\uninstalldt.exe
    AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-03 19:01
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1202660629-583907252-682003330-1003\Software\SecuROM\License information*]
    "datasecu"=hex:41,f9,c5,28,d9,ab,98,11,93,c7,24,4c,9d,a6,2b,f7,1f,e3,a2,59,6e,
    d6,a1,42,c4,81,a2,85,1e,e9,a8,47,6f,87,00,54,8d,84,96,51,9e,7a,34,cf,60,4b,\
    "rkeysecu"=hex:4f,f9,4e,06,a7,95,c7,ec,3e,32,0a,1b,0c,f8,69,28
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(792)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    - - - - - - - > 'lsass.exe'(852)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    - - - - - - - > 'explorer.exe'(2332)
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\ALCWZRD.EXE
    c:\windows\system32\RunDLL32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-03 19:08:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-04 00:08
    .
    Pre-Run: 79,540,932,608 bytes free
    Post-Run: 80,832,507,904 bytes free
    .
    - - End Of File - - 5F6040AD00D35C3DFE47BF00330523FB
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  10. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Thanks again for your assistance, DMJ.

    Here's the log file.

    ComboFix 12-08-04.02 - Chris 08/04/2012 13:05:29.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3198.2559 [GMT -5:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-03 06:32 . 2012-08-03 06:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-08-03 06:32 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-02 05:56 . 2012-08-02 05:56 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\visi_coupon
    2012-08-02 03:51 . 2012-08-02 03:51 -------- d-----w- c:\documents and settings\Administrator.VADER.000\Local Settings\Application Data\Mozilla
    2012-08-01 04:11 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-08-01 04:11 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-08-01 04:11 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-08-01 04:11 . 2012-07-03 16:21 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-08-01 04:11 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-08-01 04:11 . 2012-07-03 16:21 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-08-01 04:11 . 2012-07-03 16:21 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-08-01 04:11 . 2012-07-03 16:21 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-08-01 04:10 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
    2012-08-01 04:10 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
    2012-08-01 04:10 . 2012-08-01 04:10 -------- d-----w- c:\program files\AVAST Software
    2012-08-01 04:10 . 2012-08-01 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-07-31 05:41 . 2012-08-03 23:57 -------- d-----w- c:\documents and settings\Chris\Application Data\Qwiklinx
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-----w- c:\program files\Qwiklinx
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\SavingsApp
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-07-31 05:41 . 2012-07-31 05:41 -------- d-----w- c:\program files\DefaultTab
    2012-07-31 05:41 . 2012-08-03 23:58 -------- d-----w- c:\documents and settings\Chris\Application Data\DefaultTab
    2012-07-31 05:40 . 2012-07-31 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2012-07-31 05:40 . 2012-07-31 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2012-07-12 04:46 . 2012-07-12 04:47 -------- d-----w- c:\program files\Gardenscapes - Mansion Makeover
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-21 04:04 . 2011-12-12 07:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-04_00.02.20 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2004-08-04 12:00 . 2012-04-05 05:08 85442 c:\windows\system32\perfc009.dat
    + 2004-08-04 12:00 . 2012-08-04 00:05 85442 c:\windows\system32\perfc009.dat
    + 2004-08-04 12:00 . 2012-08-04 00:05 479492 c:\windows\system32\perfh009.dat
    - 2004-08-04 12:00 . 2012-04-05 05:08 479492 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-03-21 1523512]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\INTELAUDIOSTUDIO.exe" [2004-06-20 6828032]
    "SoundMan"="SOUNDMAN.EXE" [2004-06-17 69632]
    "AlcWzrd"="ALCWZRD.EXE" [2004-06-17 2550272]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-04 198160]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
    "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-10 15494464]
    "NvMediaCenter"="NvMCTray.dll" [2012-02-10 108352]
    "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-10 1634112]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-09-01 03:34 136176 ----atw- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2012-02-10 03:04 15494464 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2012-02-10 04:10 1634112 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-10-29 19:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
    "c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\DragonAgeToolset.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\RPU.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\lightmapper\\eclipseRay.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\GffEditor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\tools\\ErfEditor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\shattered_horizon\\client_exe\\shattered_horizon.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "57752:TCP"= 57752:TCP:pando Media Booster
    "57752:UDP"= 57752:UDP:pando Media Booster
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/31/2012 11:11 PM 721000]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/31/2012 11:11 PM 353688]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/31/2012 11:11 PM 21256]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280]
    R2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 7:29 PM 29293408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2/27/2012 11:11 PM 2348352]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/29/2011 9:18 PM 123712]
    S2 DefaultTabSearch;DefaultTabSearch;c:\program files\DefaultTab\DefaultTabSearch.exe [5/18/2012 4:00 AM 563200]
    S3 bfastfao;bfastfao;\??\c:\docume~1\Chris\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Chris\LOCALS~1\Temp\bfastfao.sys [?]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [7/16/2010 2:00 PM 25832]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    2012-08-04 c:\windows\Tasks\avast! Emergency Update.job
    - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-08-01 16:21]
    .
    2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-583907252-682003330-1003Core.job
    - c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 03:34]
    .
    2012-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-583907252-682003330-1003UA.job
    - c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 03:34]
    .
    2012-08-04 c:\windows\Tasks\User_Feed_Synchronization-{859C40AD-15BA-44EC-919C-A902C727BC80}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-04 13:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1202660629-583907252-682003330-1003\Software\SecuROM\License information*]
    "datasecu"=hex:41,f9,c5,28,d9,ab,98,11,93,c7,24,4c,9d,a6,2b,f7,1f,e3,a2,59,6e,
    d6,a1,42,c4,81,a2,85,1e,e9,a8,47,6f,87,00,54,8d,84,96,51,9e,7a,34,cf,60,4b,\
    "rkeysecu"=hex:4f,f9,4e,06,a7,95,c7,ec,3e,32,0a,1b,0c,f8,69,28
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(796)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    - - - - - - - > 'lsass.exe'(852)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    - - - - - - - > 'explorer.exe'(368)
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2012-08-04 13:23:30
    ComboFix-quarantined-files.txt 2012-08-04 18:23
    ComboFix2.txt 2012-08-04 00:08
    .
    Pre-Run: 80,630,345,728 bytes free
    Post-Run: 80,617,029,632 bytes free
    .
    - - End Of File - - 27264AE4C637E1042EEB5515C5A69F55
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome! :)

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  12. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    At present, I can now get to the Control Panel (think ComboFix did that), and instead of starting and becoming non-responsive, IE now starts connecting, and then just crashes and disappears. Also, recently noticed I can't bring up Windows Media Player. I hadn't tried before starting this thread, so I don't know if it was a problem before or not (I'm guessing it was).

    Anyway, here's the log from ESET.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=486ab9fd45456a47a5b481344d4dde12
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-08-06 01:25:27
    # local_time=2012-08-05 08:25:27 (-0600, Central Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 15135614 15135614 0 0
    # compatibility_mode=1024 16777215 100 0 66455257 66455257 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 4 83508 83508 0 0
    # scanned=319991
    # found=3
    # cleaned=3
    # scan_time=8175
    C:\System Volume Information\_restore{32826CE3-4CD9-4800-8682-FB219DC822EB}\RP812\A0257892.dll Win32/Toolbar.BHO.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{32826CE3-4CD9-4800-8682-FB219DC822EB}\RP812\A0257895.dll Win32/Toolbar.BHO.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{32826CE3-4CD9-4800-8682-FB219DC822EB}\RP812\A0257974.dll Win32/Toolbar.CrossRider application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE
    You now have a clean restore point, to get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do some calculation and the display a dialogue box with TABS
    • Select the More Options Tab.
    • At the bottom will be a system restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  14. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Ok...finished those steps. I still can't get IE to run. The window still comes up saying "Connecting..." then after a second or two it just disappears. Windows Media Player also isn't running (window never comes up on that one).

    As for the double click problem, there is some progress there. As previously reported, I can now get to the control panel, and I can now double click to bring up some file types like folders, pictures and executables on the desktop. However, still can't bring up shortcuts on the desktop with double click (have to right-click and select open). Same with Start -> All Programs. When I left click on the program to start it, nothing happens. If I right click and select open, things run as expected.

    Also, thinking maybe the shortcuts were just broken, I tried to create a couple new shortcuts on the desktop. I tried to create a new shortcut for Firefox, but when I got to the end to "Finish" and create the shortcut, I got an error saying "Unable to create shortcut." I tried again, and got the message "A shortcut named firefox already exists in this folder. Do you want to replace it?" I chose "Yes" and got the "Unable to create shortcut" error again.

    Any ideas?

    Anyway, today and the next couple of days, I'm working 8 a.m. to 8 p.m. so will only be able to reply when I get home after that. So sorry that it will take me so long to reply.

    And, again, thank you very much for your time in assisting me with this problem, DMJ.

    Security Check log follows.

    Results of screen317's Security Check version 0.99.43
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    CCleaner
    Java(TM) 6 Update 24
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 10.0.22.87 Flash Player out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (8.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastUI.exe
    CheckPoint ZoneAlarm vsmon.exe
    CheckPoint ZoneAlarm zatray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 27% Defragment your hard drive soon!
    ````````````````````End of Log``````````````````````
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Okay. Run this tool and tell me if they get fixed:

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.

    =====================================================================

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems

    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.
     
  16. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Doesn't seem to be any change. I did not install the new versions of Java, Flash Player, or Adobe Reader because I was unable to uninstall the older versions of Java or Adobe Reader. When attempting to uninstall those programs I got a message saying "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

    Flash Player did uninstall, but I didn't want to install anything else until I hear from you.

    Here are the 3 logs from RogueKiller, though.

    RKreport[1]

    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: Chris [Admin rights]
    Mode: Scan -- Date: 08/07/2012 21:07:42

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 1 ¤¤¤
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3320620AS +++++
    --- User ---
    [MBR] 166c6c43363eb241ae46356fe01e0839
    [BSP] ea0f6f318ebcda404c59031ac74fcd50 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: WDC WD20EADS-00S2B0 +++++
    --- User ---
    [MBR] e9778f5d5d93730d7fd48041c4d6d0e5
    [BSP] 5253a7ed3889a1c35a8b1e7cd1b7115c : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt


    RKreport[2]

    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: Chris [Admin rights]
    Mode: Remove -- Date: 08/07/2012 21:09:02

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 1 ¤¤¤
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3320620AS +++++
    --- User ---
    [MBR] 166c6c43363eb241ae46356fe01e0839
    [BSP] ea0f6f318ebcda404c59031ac74fcd50 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: WDC WD20EADS-00S2B0 +++++
    --- User ---
    [MBR] e9778f5d5d93730d7fd48041c4d6d0e5
    [BSP] 5253a7ed3889a1c35a8b1e7cd1b7115c : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt



    RKreport[3]


    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: Chris [Admin rights]
    Mode: Shortcuts HJfix -- Date: 08/07/2012 21:21:16

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 0 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 19 / Fail 0
    Start menu: Success 0 / Fail 0
    User folder: Success 84 / Fail 0
    My documents: Success 175 / Fail 0
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 968 / Fail 2
    Backup: [NOT FOUND]

    Drives:
    [A:] \Device\Floppy0 -- 0x2 --> Skipped
    [C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
    [D:] \Device\CdRom0 -- 0x5 --> Skipped
    [F:] \Device\HarddiskVolume2 -- 0x3 --> Restored

    ¤¤¤ Infection : ¤¤¤

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Let's take a different look here...

    Go to Start > Run, type in CMD and hit OK.

    Type this in the Command Line and hit enter:

    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

    Should be a confirmation, and then reboot your system. Let me know if this worked.
     
  18. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    No joy. The problem persists. The following is the confirmation from the window after everything ran.

    "Task is completed. Some files in the configuration are not found on this system
    so security cannot be set/queried. It's ok to ignore.
    See log %windir%\security\logs\scesrv.log for detail info."

    Do you need or want a copy of the log?

    Thanks for your continued efforts, DMJ.
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Update on the status of the misc. issues...?
     
  20. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Nothing has changed since running the above Command Line.

    IE still tries to connect for a second or two, and the window disappears.

    Windows Media Player won't come up at all.

    On the Desktop, I can now double-click to open files and executables, but shortcuts still have to be right-clicked and opened.

    I can open the Control Panel now, but I still can't use Add/Remove Programs to uninstall Adobe Reader or Java. I still get the message about "Windows Installer Service could not be accessed." after confirming that I want to remove them.
     
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    WMIC Failure

    You currently have what is called a WMIC failure, which happens when the Windows Management Instrumentation has been completely damaged.

    As a victim of this in the past, the only way to solve this problem is a reformat and reinstall of the operating system.

    Signs of WMIC failure:

    -Common Windows programs, such as Windows Search, Windows Help and Support, Windows System Information, etc. do not work properly.

    -Apparent lack of control over the computer, via the user.

    -Odd disruption in functionality of normal Windows programs. Resource disruption.

    -Some Windows Services give a "WMI Error" when trying to configure them.


    Your computer has presented at least two of these issues. It is recommended to proceed with the reformat and reinstall.

    You can easily back up data, and do the operation. It will save us time, and we will not be running around in circles.

    Let me know what you want to do.
     
  22. WonkoTheSane

    WonkoTheSane TS Rookie Topic Starter

    Ok. Those are the breaks, I guess.

    I can handle the reformat and reinstall, DMJ. Just have to get my disks out of storage.

    Thanks a lot for all your help and time spent with this issue.
     
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome. We did the best possible ways to check things out. When I began seeing issues with the same symptoms showing in the event log, it became clear the WMIC was failing.

    WMIC failure is one of the single most important reasons people have to reformat and reinstall their operating system. It has mostly to do with virus infections, because virus infections tend to infect the WMI console to try and tell the OS that the antivirus is out of date or that the existence of an antivirus is not there.

    Rogue antivirus software tend to do this the most, because they want the user's attention on the fake antivirus software rather than their real software. But, when things go awry, the virus infection may damage the WMIC inevitably leading to a catastrophic failure of the operating system.

    But, anyway, if you have anymore questions, PM me. Otherwise, this topic marked as solved. √
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...