TechSpot

PC running slowly, I keep seeing iexplorer.exe twice I followed 5 steps

By joe5446
Apr 13, 2012
  1. Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.13.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Joe :: KNOFF [administrator]

    4/12/2012 9:51:23 PM
    mbam-log-2012-04-12 (21-51-23).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 212398
    Time elapsed: 12 minute(s), 51 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 21
    HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Detected: 3
    HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search| (Adware.Hotbar) -> Data: http://edits.mywebsearch.com/toolba...i=1579M&a=Vz7j8uVB7v93L8ikUpm3fg&n=2011111219 -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 11
    C:\Program Files\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\1.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\1.bin\chrome (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\History (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings (PUP.MyWebSearch) -> Quarantined and deleted successfully.

    Files Detected: 2
    C:\Program Files\MyWebSearch\bar\History\search3 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.

    (end)
     
  2. joe5446

    joe5446 TS Rookie Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-04-13 00:07:20
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JS-75NCB3 rev.10.02E04
    Running: z0yzouq5.exe; Driver: C:\DOCUME~1\Joe\LOCALS~1\Temp\kxtdqpob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6F4D360, 0x2456AE, 0xE8000020]

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fastfat \Fat B77BDD20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  3. joe5446

    joe5446 TS Rookie Topic Starter

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Joe at 0:15:19 on 2012-04-13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.182 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\WINDOWS\system32\dlcfcoms.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\system32\dllhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uWindow Title = Internet Explorer, optimized for Bing and MSN
    uDefault_Page_URL = hxxp://www.msn.com
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    TB: {575BDDF5-790A-4D01-A37D-2863DEC1C085} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRunOnce: [RunNarrator] Narrator.exe
    IE: &Search
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-12-5 92592]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 253600]
    .
    =============== Created Last 30 ================
    .
    2012-04-13 04:07:43 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8bd4e5d2-89a8-492f-8b59-6c504f46e8b8}\mpengine.dll
    2012-04-13 01:49:57 -------- d-----w- c:\documents and settings\joe\application data\Malwarebytes
    2012-04-13 01:49:44 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-04-13 01:49:41 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-13 01:49:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2012-03-30 13:14:35 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-18 17:35:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-03-18 17:35:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-03-18 17:35:33 -------- d-----w- c:\program files\Real Alternative
    2012-03-18 17:34:49 108032 ----a-w- c:\windows\system32\ff_vfw.dll
    2012-03-18 17:34:43 -------- d-----w- c:\program files\ffdshow
    2012-03-18 17:34:11 -------- d-----w- c:\program files\Free Media Player
    .
    ==================== Find3M ====================
    .
    2012-03-30 13:14:35 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 0:15:49.96 ===============
     
  4. joe5446

    joe5446 TS Rookie Topic Starter

    sorry instuctions said not to post this log
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good Morning! The fact that you had MyWebSearch all over the system could be what's slowing you down.

    Note: It is common to have more than one iexplore.exe when using IE8.

    You have been using FunWebProducts site and their partner sites to get screensavers, cursor, wallpaper, Smileys and other 'cute' things to put on the system.

    Please do the following first:
    Uninstall the My Web Search option from Add/Remove Programs

    1) Click on Start, Settings, Control Panel
    2) Double click on Add/Remove Programs
    3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

    • [*] My Web Search (Smiley Central or FWP product as applicable)
      [*] My Way Speedbar (Smiley Central or other FWP as applicable)
      [*] My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
      [*] My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
      [*] Search Assistant - My Way
      [*]FunWebProducts.

    4) Reboot your Computer.
    5) Right click on Start> Choose Explore.
    6) My Computer> Local Drive (C)> double-click on the Program Files folder
    7) ]Right-click and delete the folders for:

    * FunWebProducts
    * MyWebSearch

    8) If you have FunWebProducts saved as a Bookmark or Favorite, delete it

    Stay away from: Other FunWebProducts
    ============================================
    WE need to see what else has made it's way into the system:

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.

    Please leave the logs for Combofix and Eset in your next reply.
     
  6. joe5446

    joe5446 TS Rookie Topic Starter

    tried following ur step, but...

    I could not find any sign of "My Web Search" or simular programs in the Add/Remove Programs should I just try the program files folder instead??

    Thanks.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It's confusing because the name of the log is Attach.txt and it clearly says not to post it. However, the added directions were:
    To add to the confusion, it also tells you that you don't have to zip it. Sorry- we can't change it in the program because it is put there by the program author> so go ahead and paste it in!
    ========================================
    You can look and see if any of the MyWebSearch or FunWebSites program folder are still on the system> then do right click> Delete. Malwarebytes has removed the rest.
    ==========================================
    Please go ahead with the Combofix and Eset scans. Include those logs and the Attach.txt logs in your next reply.
     
  8. joe5446

    joe5446 TS Rookie Topic Starter

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/30/2010 3:14:45 PM
    System Uptime: 4/12/2012 9:34:12 PM (3 hours ago)
    .
    Motherboard: Dell Inc | | 0UW457
    Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket M2 | 2004/1000mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 144 GiB total, 133.704 GiB free.
    D: is Removable
    E: is Removable
    F: is Removable
    G: is Removable
    H: is CDROM (UDF)
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_01ED1028&REV_A3\3&2411E6FE&0&51
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_01ED1028&REV_A3\3&2411E6FE&0&51
    Service:
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.3)
    Athlon 64 Processor Driver
    Broadcom 440x 10/100 Integrated Controller
    Broadcom Management Programs
    Conexant D850 56K V.9x DFVc Modem
    Dell Resource CD
    ffdshow v1.1.3489 [2010-06-28]
    FlipShare
    Free Media Player 0.1
    High Definition Audio Driver Package - KB835221
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Framework 1.0 Hotfix (KB2572066)
    Microsoft .NET Framework 1.0 Hotfix (KB2656378)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    NVIDIA Drivers
    Real Alternative 2.0.2 Lite
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    Sonic Encoders
    TomTom HOME 2.8.3.2458
    TomTom HOME Visual Studio Merge Modules
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/9/2012 11:16:30 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.123.1397.0 Previous Signature Version: 1.123.1329.0 Update Source: Signature Update Folder Update Stage: Install Source Path: Signature Type: AntiVirus Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.8202.0 Previous Engine Version: 1.1.8202.0 Error code: 0x80508001 Error description: A problem is preventing the program from starting. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
    4/9/2012 11:16:30 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.123.1397.0 Previous Signature Version: 1.123.1329.0 Update Source: Signature Update Folder Update Stage: Install Source Path: Signature Type: AntiSpyware Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.8202.0 Previous Engine Version: 1.1.8202.0 Error code: 0x80508001 Error description: A problem is preventing the program from starting. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
    4/9/2012 11:15:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.123.1397.0).
    4/9/2012 11:14:54 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Microsoft Antimalware Service service, but this action failed with the following error: An instance of the service is already running.
    4/9/2012 11:14:39 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    4/8/2012 7:49:39 PM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    4/8/2012 7:49:27 PM, error: Service Control Manager [7034] - The dlcf_device service terminated unexpectedly. It has done this 1 time(s).
    4/8/2012 7:49:16 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    4/8/2012 7:48:56 PM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    4/8/2012 2:45:23 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
    4/8/2012 10:59:07 AM, error: Service Control Manager [7034] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s).
    4/8/2012 10:59:04 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
    4/8/2012 10:58:59 AM, error: Service Control Manager [7034] - The FlipShare Service service terminated unexpectedly. It has done this 1 time(s).
    4/8/2012 10:05:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the dlcf_device service to connect.
    4/8/2012 10:05:05 PM, error: Service Control Manager [7000] - The dlcf_device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/11/2012 4:14:59 PM, error: Print [6161] - The document https://www.lowes.com/webapp/wcs/stores/servlet/OrderOKView?sto owned by Esther failed to print on printer Dell Color Printer 725. Data type: LEMF. Size of the spool file in bytes: 1191045. Number of bytes printed: 1191045. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\KNOFF. Win32 error code returned by the print processor: 0 (0x0).
    .
    ==== End Of File ===========================
     
  9. joe5446

    joe5446 TS Rookie Topic Starter

    ComboFix 12-04-14.02 - Joe 04/16/2012 20:42:16.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.223 [GMT -4:00]
    Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\SPL321.tmp
    c:\documents and settings\All Users\SPL3A.tmp
    c:\documents and settings\All Users\SPL3E5.tmp
    c:\documents and settings\All Users\SPL51.tmp
    c:\documents and settings\Joe\Application Data\alot
    c:\documents and settings\Joe\Application Data\PriceGong
    c:\documents and settings\Joe\Application Data\PriceGong\Data\1.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\10.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\2229.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\2620.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\450.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\6110.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\7535.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\94.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\947.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\9551.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\a.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\b.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\c.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\d.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\e.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\f.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\g.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\h.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\i.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\j.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\k.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\l.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\m.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Joe\Application Data\PriceGong\Data\n.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\o.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\p.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\q.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\r.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\s.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\t.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\u.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\v.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\w.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\wlu.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\x.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\y.txt
    c:\documents and settings\Joe\Application Data\PriceGong\Data\z.txt
    c:\windows\EventSystem.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-17 00:02 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D67E74DC-506B-4A31-918E-F80F02FD47C8}\mpengine.dll
    2012-04-13 01:49 . 2012-04-13 01:49 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
    2012-04-13 01:49 . 2012-04-13 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-13 01:49 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-13 01:49 . 2012-04-13 01:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-10 03:32 . 2012-04-10 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2012-03-30 13:14 . 2012-04-14 13:44 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-18 17:35 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-03-18 17:35 . 2004-01-11 22:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-03-18 17:35 . 2012-03-18 17:35 -------- d-----w- c:\program files\Real Alternative
    2012-03-18 17:34 . 2010-05-12 20:09 108032 ----a-w- c:\windows\system32\ff_vfw.dll
    2012-03-18 17:34 . 2012-03-18 17:34 -------- d-----w- c:\program files\ffdshow
    2012-03-18 17:34 . 2012-03-18 17:36 -------- d-----w- c:\program files\Free Media Player
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-14 13:44 . 2011-06-07 21:41 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-14 02:15 . 2012-02-09 14:04 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-03-01 11:01 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-10 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2004-08-10 11:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2004-08-10 11:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-03 09:22 . 2004-08-10 11:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2010-08-30 20:18 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
    "nwiz"="nwiz.exe" [2006-08-23 1617920]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dlcfcoms.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/5/2011 8:34 AM 92592]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 9:14 AM 253088]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 13:44]
    .
    2012-04-16 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
    .
    2012-04-17 c:\windows\Tasks\User_Feed_Synchronization-{0D5ECB2E-8E38-45F5-B816-A378ABD13CEE}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    2012-04-16 c:\windows\Tasks\User_Feed_Synchronization-{14B79CB0-37D1-498C-9F01-779046CC1129}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{575BDDF5-790A-4D01-A37D-2863DEC1C085} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-16 20:48
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-04-16 20:50:56
    ComboFix-quarantined-files.txt 2012-04-17 00:50
    .
    Pre-Run: 143,442,608,128 bytes free
    Post-Run: 143,663,697,920 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 0302A2DAD08A17266F16AD64604A825F
     
  10. joe5446

    joe5446 TS Rookie Topic Starter

    C:\Documents and Settings\Esther\Local Settings\Temp\71DB0F3E-BAB0-7891-B661-2E984EC2B901\MyBabylonTB.exe Win32/Toolbar.Babylon application
    C:\Documents and Settings\Esther\Local Settings\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe Win32/Toolbar.Babylon application
    C:\Documents and Settings\Esther\My Documents\IWON.exe Win32/AdInstaller application
     
  11. joe5446

    joe5446 TS Rookie Topic Starter

    I would like to thank you guys/girls for all of your help. I have already recommended this site to other people. Now, Im gonna check out the rest of the topics on this forum and maybe I can become more confident in my computer skills. Thanks again.

    Joe
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Joe, the site was upgraded and I'm finding some threads didn't send feedback for replies made. Yous was one of them. I'll pick up from where we were. If you have resolved problems, please let me know.

    For the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :
      :Files 
      C:\Documents and Settings\Esther\Local Settings\Temp\71DB0F3E-BAB0-7891-B661-2E984EC2B901\MyBabylonTB.exe 
      C:\Documents and Settings\Esther\Local Settings\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe 
      C:\Documents and Settings\Esther\My Documents\IWON.exe 
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================================
    Combofix looks good. With so many entries for Price Gong gone and MWS gone, have you pickled up any 'speed'? I can give you few tips for maintenance if you'd like.
     
  13. joe5446

    joe5446 TS Rookie Topic Starter

    All processes killed
    Error: Unable to interpret <:> in the current context!
    ========== FILES ==========
    C:\Documents and Settings\Esther\Local Settings\Temp\71DB0F3E-BAB0-7891-B661-2E984EC2B901\MyBabylonTB.exe moved successfully.
    C:\Documents and Settings\Esther\Local Settings\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe moved successfully.
    C:\Documents and Settings\Esther\My Documents\IWON.exe moved successfully.
    File/Folder [purity] not found.
    File/Folder [emptytemp] not found.
    File/Folder [start explorer] not found.
    File/Folder [Reboot] not found.

    OTM by OldTimer - Version 3.1.19.0 log created on 04282012_124335
     
  14. joe5446

    joe5446 TS Rookie Topic Starter

    The computer is running much faster, but I can always use tips on maintenance. Thanks again!!
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I'll finish up and give you some tips. But first, please post the entire OTM log.
     
  16. joe5446

    joe5446 TS Rookie Topic Starter

    I think that was it. It took me awhile to find it. But I'll look again.
     
  17. joe5446

    joe5446 TS Rookie Topic Starter

    yeah, that was everything
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A note: You can use the Edit function when you just have a small amount of text to add instead of creating another post. You can clean up the tools now:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...