TechSpot

Trojan.injector....

By DCMedia
Mar 16, 2011
  1. Got his last night on both pcs along with another trojan.
    reformatted the 1 PC, but this PC i'm on now I cannot reformat because of no recovery disc.

    the one trojan was removed but on a second scan with Super Anti Spyware, the original trojan.injector was still present.

    Ran SAS again and the trojan finally wasnt showing up.

    Ran MAB and its not showing up and its not showing up on Avira either.

    I just want to make sure this is cleaned off of my system so I did the 8 steps, here are the logs, but I am also going to scan once more with Avira, MAB and SAS.


    Thanks for any help.


    MAB---------------------------------------------
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6068

    Windows 6.0.6000
    Internet Explorer 7.0.6000.17037

    3/16/2011 10:59:23 AM
    mbam-log-2011-03-16 (10-59-23).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Objects scanned: 313919
    Time elapsed: 1 hour(s), 42 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER---------------------------------------

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-16 13:48:02
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316081 rev.3.AD
    Running: e3kimqtj.exe; Driver: C:\Users\User\AppData\Local\Temp\pxtdapob.sys


    ---- System - GMER 1.0.15 ----

    Code 8B07CBFC ZwTraceEvent
    Code 8B07CBFB NtTraceEvent
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

    ---- EOF - GMER 1.0.15 ----



    DDS---------------

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by User at 13:52:14.38 on Wed 03/16/2011
    Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_21
    Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.332 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Windows\System32\svchost.exe -k Akamai
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\taskmgr.exe
    C:\Program Files\McAfee Security Scan\2.0.181\McUICnt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\User\Documents\New Folder (2)\dds.scr
    C:\Windows\System32\osk.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
    uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [Corel File Shell Monitor] c:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe
    mRun: [NeroRebootSetup] "c:\users\user\appdata\local\temp\nro.tmp\SetupX.exe" SC -Reboot PIINSTALLTYPE="0"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
    IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\zw72x8co.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - component: c:\users\user\appdata\roaming\mozilla\firefox\profiles\zw72x8co.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint(145).dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\users\user\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\zw72x8co.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-14 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-2 301528]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-23 224240]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 30112]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-11-2 22016]
    R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2006-11-15 464264]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-2 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-9-2 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-14 42184]
    R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-22 30152]
    R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-7-25 114952]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
    R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-1-12 125672]
    R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
    R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
    S2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\google\update\GoogleUpdate.exe [2009-7-19 133104]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-11-2 22016]
    S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    .
    =============== Created Last 30 ================
    .
    2011-03-16 01:19:06 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-03-15 02:08:17 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    ==================== Find3M ====================
    .
    2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
    2011-01-05 04:40:32 36864 ----a-w- C:\nphssb.dll
    2011-01-05 04:39:59 184320 ----a-w- c:\windows\system32\OESICore.dll
    2011-01-05 04:39:58 45056 ----a-w- c:\windows\system32\HSSICore.dll
    2011-01-05 04:39:58 40960 ----a-w- c:\windows\system32\HS_live.ocx
    2011-01-05 04:38:39 98136 ----a-w- c:\windows\gzip.exe
    .
    ============= FINISH: 13:53:01.16 ===============



    -DDS ATTACH------------------------------------------

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume3
    Install Date: 11/15/2006 12:04:33 PM
    System Uptime: 3/15/2011 9:10:56 PM (16 hours ago)
    .
    Motherboard: Dell Inc. | | 0WG864
    Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Microprocessor | 2992/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 139 GiB total, 70.027 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 7.019 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0000
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0000
    Service: tunnel
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    545 Studios Skinstaller (remove only)
    AAC Decoder
    AC3Filter (remove only)
    Acrobat.com
    Adobe AIR
    Adobe Community Help
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    Advertising Center
    AIMutation (remove only)
    Akamai NetSession Interface
    AOL Instant Messenger
    Apple Application Support
    Apple Software Update
    Ashampoo Burning Studio 6 FREE
    Astroburn Lite
    Audacity 1.3.9 (Unicode)
    AutoUpdate
    avast! Free Antivirus
    Backyard Skateboarding
    CCleaner (remove only)
    COMODO Internet Security
    Contents
    Corel PaintShop Photo Pro X3
    DeviceIO
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DolbyFiles
    GIMP 2.6.7
    Google Chrome
    Google SketchUp 7
    Google Update Helper
    H.264 Decoder
    Homestead SiteBuilder
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ICA
    ImagXpress
    ImgBurn
    Intel(R) Graphics Media Accelerator Driver
    IPM_PSP_Pro
    Java Auto Updater
    Java(TM) 6 Update 21
    KeyScrambler
    Malwarebytes' Anti-Malware
    McAfee Security Scan Plus
    Menu Templates - Starter Kit
    Microsoft .NET Framework 3.5 SP1
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    MKV Splitter
    Movie Templates - Starter Kit
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 9 Trial
    Nero BurnRights
    Nero ControlCenter
    Nero CoverDesigner
    Nero Disc Copy Gadget
    Nero DiscSpeed
    Nero DriveSpeed
    Nero InfoTool
    Nero Installer
    Nero Live
    Nero PhotoSnap
    Nero Recode
    Nero Rescue Agent
    Nero ShowTime
    Nero StartSmart
    Nero Vision
    Nero WaveEditor
    NeroBurningROM
    NeroExpress
    NeroLiveGadget
    neroxml
    Paint.NET v3.36
    PDF Settings CS5
    PhoTags Express
    PSPPContent
    PSPPRO_DCRAW
    PureHD
    QuickTime
    Recuva
    Sandboxie 3.52
    SANYO USB Modem SY03 Driver
    Security Update for Windows Media Encoder (KB954156)
    Setup
    Share
    SoundTrax
    SUPERAntiSpyware Free Edition
    System Requirements Lab
    Uninstall Dual Mode Camera
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC 9.0 Runtime
    VC80CRTRedist - 8.0.50727.762
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    VIO
    VLC media player 0.9.9
    Winamp
    Windows Media Encoder 9 Series
    Windows Media Player Firefox Plugin
    WinRAR archiver
    ZoneAlarm Spy Blocker Toolbar
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the system.

    First, you are loading processes for 3 antivirus programs:
    Avast
    Comodo (Internet Security)
    McAfee

    I also noted a ZoneAlarm Toolbar.
    Please remove two of them. Reboot the computer when done.
    ========================================
    Instead of the rescans you suggested, please do these:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===========================================
    Download Combofix to your desktop from HERE or HERE
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  3. DCMedia

    DCMedia TS Rookie Topic Starter

    Thank you sir



    online scan-
    C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application



    combofix-

    ComboFix 11-03-16.06 - User 03/17/2011 18:41:33.1.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.317 [GMT -4:00]
    Running from: c:\users\User\Downloads\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-17 22:38 . 2011-03-17 22:38 -------- d-----w- C:\32788R22FWJFW
    2011-03-16 19:30 . 2011-03-16 19:30 -------- d-----w- c:\program files\ESET
    2011-03-16 01:19 . 2011-03-17 17:59 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-03-15 02:08 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 14:04 . 2010-09-02 16:29 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-23 14:04 . 2010-09-02 16:29 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-23 13:56 . 2010-09-02 16:30 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-23 13:55 . 2010-09-02 16:30 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-23 13:55 . 2010-09-02 16:30 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-23 13:55 . 2010-09-02 16:30 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-02-23 13:54 . 2010-09-02 16:30 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-05 04:40 . 2011-01-05 04:51 36864 ----a-w- C:\nphssb.dll
    2011-01-05 04:39 . 2011-01-05 04:51 184320 ----a-w- c:\windows\system32\OESICore.dll
    2011-01-05 04:39 . 2011-01-05 04:51 45056 ----a-w- c:\windows\system32\HSSICore.dll
    2011-01-05 04:39 . 2011-01-05 04:51 40960 ----a-w- c:\windows\system32\HS_live.ocx
    2011-01-05 04:38 . 2011-01-05 04:39 98136 ----a-w- c:\windows\gzip.exe
    2010-12-20 22:09 . 2009-05-31 07:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 22:08 . 2009-05-31 07:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-10-16 23:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
    "AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
    "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-05-29 1232896]
    "Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-23 136176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-07 2039240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 133104]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2006-11-02 22016]
    R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-07 224240]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-07 30112]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
    S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-10-16 464264]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
    S2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
    S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
    S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
    S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    Akamai REG_MULTI_SZ Akamai
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore(1882).job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
    .
    2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA(1883).job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
    .
    2011-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000Core.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
    .
    2011-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000UA.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zw72x8co.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-17 18:52
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(712)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'lsass.exe'(660)
    c:\windows\system32\guard32.dll
    .
    Completion time: 2011-03-17 18:56:37
    ComboFix-quarantined-files.txt 2011-03-17 22:56
    .
    Pre-Run: 72,668,479,488 bytes free
    Post-Run: 75,140,534,272 bytes free
    .
    - - End Of File - - 1AB2B517EAA14522BC80F0C024FA7C21
     
  4. DCMedia

    DCMedia TS Rookie Topic Starter

    Did I do that last scan correct?

    Combofix opened as a blue screen and started scanning.

    when done I accidently closed the combofix.txt out, and when I went to click on it on my start menu to pull it up again it kept saying the file was in que for deletion or something of that sort, as well as all the other programs on the start menu...firefox, mspaint ect.

    I restarted the PC and now everything is working fine.

    had to manually get that scnan log by going to run>c:\combofix.txt
     
  5. DCMedia

    DCMedia TS Rookie Topic Starter

    should i post a new thread and re do the 8 steps?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No- why would you want to do that I'm helping a lot of members and just hadn't gotten back to you yet.

    You are still running processes for Avast, McAfee and Comodo. . Please uninstall all but 1. program. Reboot when finished.
    =====================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Program Files\AIM\Sysfiles\WxBug.EXE
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================================
    Please unbinstall the Weather program you have.
    ===========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe 
    c:\program files\AskBarDis\bar\bin\AskService.exe
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    Driver::
    Viewpoint Service;Viewpoint Service
    ASKService;ASKService
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please go to Add/Remove programs and uninstall anything with Ask and Viewpoint in the name. Then use Windows Explorer to find the program folder for each and do a right click> Delete on it.
    ========================
    Please run this Security Check:

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  7. DCMedia

    DCMedia TS Rookie Topic Starter

    Sorry bout that man.

    Just did everything you said. I deleted all but Avast, but I though I was able to run Comodo firewall with avast?

    Anyways, here are the logs:


    All processes killed
    ========== FILES ==========
    File/Folder C:\Program Files\AIM\Sysfiles\WxBug.EXE not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: User
    ->Temp folder emptied: 1904623 bytes
    ->Temporary Internet Files folder emptied: 803360 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 20835567 bytes
    ->Google Chrome cache emptied: 400500472 bytes
    ->Flash cache emptied: 1646 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 5016 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 25682 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 404.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03202011_004632

    Files moved on Reboot...
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...



    -----------------------------

    ComboFix 11-03-16.06 - User 03/20/2011 1:08.2.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.257 [GMT -4:00]
    Running from: c:\users\User\Downloads\ComboFix.exe
    Command switches used :: c:\users\User\Downloads\CFScript.txt
    .
    FILE ::
    "c:\program files\AskBarDis\bar\bin\AskService.exe"
    "c:\program files\Viewpoint\Common\ViewpointService.exe"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-20 05:17 . 2011-03-20 05:17 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-20 04:56 . 2011-03-20 04:56 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-03-20 04:33 . 2011-03-20 04:33 -------- d-----w- C:\_OTM
    2011-03-17 22:56 . 2011-03-20 05:18 -------- d-----w- c:\users\User\AppData\Local\temp
    2011-03-16 19:30 . 2011-03-16 19:30 -------- d-----w- c:\program files\ESET
    2011-03-15 02:08 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-19 03:43 . 2010-02-16 20:19 2516 --sha-w- c:\programdata\KGyGaAvL.sys
    2011-03-19 03:43 . 2010-02-16 20:19 88 --sh--r- c:\programdata\813C01CEED.sys
    2011-02-23 14:04 . 2010-09-02 16:29 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-23 14:04 . 2010-09-02 16:29 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-23 13:56 . 2010-09-02 16:30 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-23 13:55 . 2010-09-02 16:30 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-23 13:55 . 2010-09-02 16:30 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-23 13:55 . 2010-09-02 16:30 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-02-23 13:54 . 2010-09-02 16:30 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-05 04:40 . 2011-01-05 04:51 36864 ----a-w- C:\nphssb.dll
    2011-01-05 04:39 . 2011-01-05 04:51 184320 ----a-w- c:\windows\system32\OESICore.dll
    2011-01-05 04:39 . 2011-01-05 04:51 45056 ----a-w- c:\windows\system32\HSSICore.dll
    2011-01-05 04:39 . 2011-01-05 04:51 40960 ----a-w- c:\windows\system32\HS_live.ocx
    2011-01-05 04:38 . 2011-01-05 04:39 98136 ----a-w- c:\windows\gzip.exe
    2010-12-20 22:09 . 2009-05-31 07:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 22:08 . 2009-05-31 07:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
    "AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
    "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-05-29 1232896]
    "Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-23 136176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 133104]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
    R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2006-11-02 22016]
    R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
    S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
    S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
    S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    Akamai REG_MULTI_SZ Akamai
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore(1882).job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
    .
    2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA(1883).job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
    .
    2011-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000Core.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
    .
    2011-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000UA.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zw72x8co.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-20 01:17
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-03-20 01:21:27
    ComboFix-quarantined-files.txt 2011-03-20 05:21
    ComboFix2.txt 2011-03-17 22:56
    .
    Pre-Run: 77,021,835,264 bytes free
    Post-Run: 77,002,362,880 bytes free
    .
    - - End Of File - - 227B98CED71C565369FE8F5C0BC445D9


    ------------------------


    Results of screen317's Security Check version 0.99.9
    Windows Vista (UAC is enabled)
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    ESET Online Scanner v3
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner (remove only)
    Java(TM) 6 Update 21
    Out of date Java installed!
    Adobe Flash Player 10.1.102.64
    Adobe Reader 9.3
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    User AppData Local Google\Chrome\Application\AvastSvc.exe -?-
    Alwil Software Avast5 AvastUI.exe
    ``````````End of Log````````````
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Just a note from OTM: Total Files Cleaned = 404.00 mb That is a lot of files and may indicate you're not doing regular maintenance on the machine.

    You can. But it appeared that you were running the Comodo Security Suite which also contains an AV program. Just get it down to Firewall only.
    1. But if you run the Comodo firewall, you should disable that Windows Firewall Enabled!
    ====================================
    Outdated programs that are vulnerabilities to the system. Please update to current versions, then uninstall old versions (Java v6u21) (Adobe Reader v9.3) in Add/Remove Programs:
    Java(TM) 6 Update 21> current is v6u24: Check this site- Java Updates
    Adobe Reader > current is v10(X)> Check this site- Adobe Reader
    Vista Service Pack> current is SP2> Check Here Microsoft Download Site
    =====================================
    There is a file I can't identify:
    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\programdata\813C01CEED.sys
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe
    DDS::
    c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=- 
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Driver::
    McComponentHostService
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    If the file you sent off comes back clean you'll be finished. So final word comes after that.
     
  9. DCMedia

    DCMedia TS Rookie Topic Starter

    Alright cool.
    Updated everything and deleted old versions, except for SP2. It kept saying it was unable to install the updates, gonna mess with it more tonight.

    Here are the logs though.




    VirSCAN.org Scanned Report :
    Scanned time : 2011/03/22 12:59:41 (EDT)
    Scanner results: Scanners did not find malware!
    File Name : 813C01CEED.sys
    File Size : 88 byte
    File Type : X11 SNF font data, LSB first
    MD5 : cd64ab16a650d7c7e7708f5e11074806
    SHA1 : 96f3f7844e8ec94d49717a74b502086680e726c5
    Online report : http://virscan.org/report/ba355159e0a6e0a7f6a5f3dfd0197dfc.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.2 20110322060919 2011-03-22 0.09 -
    AhnLab V3 2011.03.23.00 2011.03.23 2011-03-23 0.08 -
    AntiVir 8.2.4.188 7.11.5.27 2011-03-22 0.28 -
    Antiy 2.0.18 20110205.7694535 2011-02-05 0.12 -
    Arcavir 2010 201103222345 2011-03-22 0.03 -
    Authentium 5.1.1 201103220040 2011-03-22 2.55 -
    AVAST! 4.7.4 110322-0 2011-03-22 0.00 -
    AVG 8.5.850 271.1.1/3516 2011-03-19 0.24 -
    BitDefender 7.90123.6945317 7.36725 2011-03-23 6.38 -
    ClamAV 0.96.5 12875 2011-03-22 0.02 -
    Comodo 4.0 8064 2011-03-22 0.08 -
    CP Secure 1.3.0.5 2011.03.22 2011-03-22 0.01 -
    Dr.Web 5.0.2.3300 2011.03.22 2011-03-22 11.03 -
    F-Prot 4.4.4.56 20110322 2011-03-22 1.43 -
    F-Secure 7.02.73807 2011.03.22.01 2011-03-22 12.22 -
    Fortinet 4.2.254 13.25 2011-03-21 0.08 -
    GData 21.2102/21.763 20110322 2011-03-22 0.09 -
    ViRobot 20110322 2011.03.22 2011-03-22 0.08 -
    Ikarus T3.1.32.20.0 2011.03.22.77993 2011-03-22 4.75 -
    JiangMin 13.0.900 2011.03.22 2011-03-22 0.08 -
    Kaspersky 5.5.10 2011.03.22 2011-03-22 0.03 -
    KingSoft 2009.2.5.15 2011.3.22.18 2011-03-22 0.08 -
    McAfee 5400.1158 6292 2011-03-21 8.02 -
    Microsoft 1.6603 2011.03.22 2011-03-22 0.08 -
    NOD32 3.0.21 5972 2011-03-21 0.01 -
    Norman 6.07.03 6.07.00 2011-03-20 16.02 -
    Panda 9.05.01 2011.03.21 2011-03-21 0.08 -
    Trend Micro 9.200-1012 7.918.09 2011-03-22 0.02 -
    Quick Heal 11.00 2011.03.22 2011-03-22 0.08 -
    Rising 20.0 23.50.01.06 2011-03-22 0.08 -
    Sophos 3.16.1 4.62 2011-03-22 3.08 -
    Sunbelt 3.9.2483.2 8780 2011-03-22 0.08 -
    Symantec 1.3.0.24 20110321.002 2011-03-21 0.29 -
    nProtect 20110322.01 3270065 2011-03-22 0.09 -
    The Hacker 6.7.0.1 v00154 2011-03-21 0.08 -
    VBA32 3.12.14.3 20110321.1214 2011-03-21 3.60 -
    VirusBuster 5.2.0.28 13.6.263.0/48234942011-03-22 0.00 -




    ------------------------------------------------------------------------


    ComboFix 11-03-16.06 - User 03/22/2011 17:01:39.4.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.398 [GMT -4:00]
    Running from: c:\users\User\Downloads\ComboFix.exe
    Command switches used :: c:\users\User\Downloads\CFScript.txt
    .
    FILE ::
    "c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_McComponentHostService
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-22 21:11 . 2011-03-22 21:11 -------- d-----w- c:\users\User\AppData\Local\temp
    2011-03-22 21:11 . 2011-03-22 21:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-22 18:35 . 2011-03-22 18:35 -------- d-----w- c:\program files\Common Files\Java
    2011-03-20 04:56 . 2011-03-22 20:08 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-03-20 04:33 . 2011-03-20 04:33 -------- d-----w- C:\_OTM
    2011-03-16 19:30 . 2011-03-16 19:30 -------- d-----w- c:\program files\ESET
    2011-03-15 02:08 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-19 03:43 . 2010-02-16 20:19 2516 --sha-w- c:\programdata\KGyGaAvL.sys
    2011-03-19 03:43 . 2010-02-16 20:19 88 --sh--r- c:\programdata\813C01CEED.sys
    2011-02-23 14:04 . 2010-09-02 16:29 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-23 14:04 . 2010-09-02 16:29 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-23 13:56 . 2010-09-02 16:30 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-23 13:55 . 2010-09-02 16:30 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-23 13:55 . 2010-09-02 16:30 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-23 13:55 . 2010-09-02 16:30 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-02-23 13:54 . 2010-09-02 16:30 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-02-03 01:40 . 2010-08-18 16:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-05 04:40 . 2011-01-05 04:51 36864 ----a-w- C:\nphssb.dll
    2011-01-05 04:39 . 2011-01-05 04:51 184320 ----a-w- c:\windows\system32\OESICore.dll
    2011-01-05 04:39 . 2011-01-05 04:51 45056 ----a-w- c:\windows\system32\HSSICore.dll
    2011-01-05 04:39 . 2011-01-05 04:51 40960 ----a-w- c:\windows\system32\HS_live.ocx
    2011-01-05 04:38 . 2011-01-05 04:39 98136 ----a-w- c:\windows\gzip.exe
    2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
    "AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
    "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-05-29 1232896]
    "Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-23 136176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 133104]
    R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2006-11-02 22016]
    R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
    S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
    S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
    S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    Akamai REG_MULTI_SZ Akamai
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore(1882).job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
    .
    2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA(1883).job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
    .
    2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000Core.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
    .
    2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000UA.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zw72x8co.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: KeyScrambler: keyscrambler@qfx.software.corporation - %profile%\extensions\keyscrambler@qfx.software.corporation
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
    FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: SEO For Firefox: seo4firefox@seobook.com - %profile%\extensions\seo4firefox@seobook.com
    FF - Ext: ChaCha Guide App Toolbar: chachaguidebar@chacha.com - %profile%\extensions\chachaguidebar@chacha.com
    FF - Ext: Ant Video Downloader: anttoolbar@ant.com - %profile%\extensions\anttoolbar@ant.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 17:11
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-03-22 17:14:31
    ComboFix-quarantined-files.txt 2011-03-22 21:14
    ComboFix2.txt 2011-03-20 05:21
    ComboFix3.txt 2011-03-17 22:56
    .
    Pre-Run: 92,475,088,896 bytes free
    Post-Run: 92,453,396,480 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - DFE82BBC94D0D11F8B863585C171AD83
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looking good! Any sign of the previous problem? If not:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
    ==================================
    Make sure you do the updates. You need to open Firefox extensions and remove these outdated versions:
    Java v6u13
    Java v6u21
    Javav6u24>>>> Although this s the current version, you do not need to add an extension to update Java in Firefox. This can actually cause a problem with Firefox running. The update you get for the system .

    Remember- any outdated Java or Adobe Reader are security vulnerabilities.
    ==========================================
    Tips for added security and safer browsing:


    1. Antispyware: I recommend all of the following:
      • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      • Download ZonedOut and save to your desktop. This manages the Zones in Internet Explorer. It over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      • Replace the Host Files
        MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      • Google Toolbar Get the free google toolbar to help stop pop up windows.
      • The Site Advisor Web of Trust (WOT) add-on is a . Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
      Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.
    2. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    3. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    4. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Let me know if you have any more questions.
     
  11. DCMedia

    DCMedia TS Rookie Topic Starter

    No signs of problems, everthing seems to be running faster now too. Thanks bro, preciate it. :cool:
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome! Stay safe!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...