Solved A familiar virus is drastically slowing down my computer

Status
Not open for further replies.
B

bnttwnbnt

Posts: 15   +0
Hello,

I have been checking out this site and am impressed by the assistance and expertise offered by the many people on this forum on their own time.

I am having a problem with my computer and I believe it's a problem that other people have had (and have been solved) on this forum.

My computer is running painfully slow. I experience:

1) random clicking noises (like the kind IE has when switching from one website to another).
2) Unwanted visual pop-up advertisements whereby the browser used is IE (my default browser is Firefox)
3) Unwanted audible advertisements
4)overall slow performance.

Per the topic https://www.techspot.com/community/topics/updated-4-step-viruses-spyware-malware-removal-preliminary-instructions.58138/, I am providing all the information so that I can be assisted. I appreciate anyone's expertise on how I can get my computer back on track.

A note before I start posting my log files:
1) I ran GMER in safe mode, because I kept getting the BSOD during the scan (I did not try unchecking the "devices" square in normal mode however) Hoping the input from GMER.logI provided is sufficient.
2) I attached "attach.txt" instead of cut and pasting it per DSS' instructions. Hoping this is acceptable.
=================================================================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4793

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/11/2010 11:49:12 AM
mbam-log-2010-10-11 (11-49-12).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 296504
Time elapsed: 3 hour(s), 54 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\wfedo2.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smise (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{45e901a6-2fc6-b049-8035-5a0ec242ac0e} (Trojan.ZbotR.Gen) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\wfedo2.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temp\lgnwct.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temp\ppwkvch.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temp\tcpqpoo.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temp\xmuqper.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\HPD7WAD5\lpkez[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\I5WSYUA1\qdlsn[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\JJEZ3R5C\lpkezhfmu[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\JJEZ3R5C\lpkezhfmu[2].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\L10DK9U7\lpkezhfmu[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\LPRDZLO4\lpkez[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\UNLK14FW\qdlsn[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001110.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001111.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\AD.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\AF.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\B1.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin Bento\Application Data\Meulmo\luxu.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
=================================================================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-11 18:44:19
Windows 5.1.2600 Service Pack 3
Running: ip7qbh0k.exe; Driver: C:\DOCUME~1\KEVINB~1\LOCALS~1\Temp\kxloapog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B485CB

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat F7936D20
=================================================================

DDS (Ver_10-10-10.03) - NTFSx86
Run by Kevin Bento at 22:40:29.94 on Mon 10/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.97 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe 4
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
svchost.exe 4
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Adobe Photoshop Elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Acrobat 9.0\Acrobat\Acrotray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
D:\SuperAntiSpyWare\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Kevin Bento\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061004
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [SUPERAntiSpyware] d:\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "d:\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "d:\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [svchost] c:\program files\internet explorer\svchost.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {4C730913-3961-439b-83D5-F4E445520422} - c:\program files\citi virtual account numbers\CitiVAN.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - d:\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevinb~1\applic~1\mozilla\firefox\profiles\n40440e1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=
FF - plugin: c:\documents and settings\kevin bento\application data\mozilla\firefox\profiles\n40440e1.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\acrobat 9.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-25 165584]
R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-18 532224]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;d:\adobe photoshop elements 8\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-25 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-16 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]

=============== Created Last 30 ================

2010-10-11 18:12:41 -------- d-----w- C:\Microsoft
2010-10-11 08:45:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 08:45:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 07:41:22 -------- d-----w- c:\docume~1\kevinb~1\applic~1\SUPERAntiSpyware.com
2010-10-11 07:41:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-11 02:13:10 2256 ----a-w- c:\docume~1\kevinb~1\applic~1\sdfsfs.bat
2010-10-11 02:13:00 147 ----a-w- c:\docume~1\kevinb~1\applic~1\dsfsds.bat
2010-10-11 02:12:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update

==================== Find3M ====================

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 22:46:24.48 ===============
=================================================================
 

Attachments

  • Attach.txt
    19.8 KB · Views: 0
Welcome aboard
yahooo.gif


Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
MBRCheckxxxx.txt

Hi Broni,

Thanks for your quick response!

Below is the MBRCheck log you requested. Due to character limitations, I will submit the Combofix log in another post on this same thread. Looking forward to your further recommendation and expertise!

===================================================================
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 151):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF8A26000 \WINDOWS\system32\KDCOM.DLL
0xF8936000 \WINDOWS\system32\BOOTVID.dll
0xF83F7000 ACPI.sys
0xF8A28000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF83E6000 pci.sys
0xF8526000 isapnp.sys
0xF893A000 compbatt.sys
0xF893E000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8AEE000 pciide.sys
0xF87A6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8536000 MountMgr.sys
0xF83C7000 ftdisk.sys
0xF83A1000 dmio.sys
0xF87AE000 PartMgr.sys
0xF8546000 VolSnap.sys
0xF8389000 atapi.sys
0xF8556000 disk.sys
0xF8566000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8369000 fltmgr.sys
0xF8357000 sr.sys
0xF8341000 drvmcdb.sys
0xF8576000 PxHelp20.sys
0xF832A000 KSecDD.sys
0xF829D000 Ntfs.sys
0xF8270000 NDIS.sys
0xF8586000 sbp2port.sys
0xF8596000 ohci1394.sys
0xF85A6000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8256000 Mup.sys
0xF8616000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF822E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6D51000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6D3D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6D15000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6CAD000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF8896000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6C89000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF889E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8626000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF6C75000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF88A6000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF8636000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF6C29000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF8646000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF6BFA000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF8A70000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF88AE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF88B6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8656000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8A72000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF8666000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8676000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6BD7000 \SystemRoot\system32\DRIVERS\ks.sys
0xF821E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF8C49000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF86F6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8216000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6BC0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8686000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8696000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF88BE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6BAF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86A6000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88C6000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88CE000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6B7F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF86B6000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A74000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6B21000 \SystemRoot\system32\DRIVERS\update.sys
0xF6F01000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF88D6000 \SystemRoot\system32\DRIVERS\omci.sys
0xF86C6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF299F000 \SystemRoot\system32\drivers\sthda.sys
0xF297B000 \SystemRoot\system32\drivers\portcls.sys
0xF8706000 \SystemRoot\system32\drivers\drmk.sys
0xF2949000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xF284C000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF279C000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF88DE000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8716000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A06000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF8A82000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8BAB000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A84000 \SystemRoot\System32\Drivers\Beep.SYS
0xF88EE000 \SystemRoot\system32\drivers\ssrtln.sys
0xF88F6000 \SystemRoot\System32\drivers\vga.sys
0xF8A86000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A88000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF88FE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8906000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8A0A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF1B29000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF1AD0000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF8726000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF1AAA000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF1A82000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1A01000 \SystemRoot\System32\vsdatant.sys
0xF19DF000 \SystemRoot\System32\drivers\afd.sys
0xF8736000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF8756000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xF1652000 \??\D:\SuperAntiSpyWare\SASKUTIL.SYS
0xF1B64000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF75C3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF87DE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF75B3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF87E6000 \??\D:\SuperAntiSpyWare\SASDIFSV.SYS
0xF1627000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF15B7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF75A3000 \SystemRoot\System32\Drivers\Fips.SYS
0xF1590000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF19DB000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xF19D7000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF19C7000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF8806000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF7563000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF1690000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8826000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B8F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0DC000 \SystemRoot\System32\ati3duag.dll
0xBF37D000 \SystemRoot\System32\ativvaxx.dll
0xF1544000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF7593000 \SystemRoot\system32\drivers\drvnddm.sys
0xF8C79000 \SystemRoot\system32\dla\tfsndres.sys
0xB822B000 \SystemRoot\system32\dla\tfsnifs.sys
0xB82A9000 \SystemRoot\system32\dla\tfsnopio.sys
0xF8A44000 \SystemRoot\system32\dla\tfsnpool.sys
0xF0F66000 \SystemRoot\system32\dla\tfsnboio.sys
0xF8776000 \SystemRoot\system32\dla\tfsncofs.sys
0xF8B22000 \SystemRoot\system32\dla\tfsndrct.sys
0xB8212000 \SystemRoot\system32\dla\tfsnudf.sys
0xB81F9000 \SystemRoot\system32\dla\tfsnudfa.sys
0xB8251000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB7DFA000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xB7C55000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8011000 \SystemRoot\system32\drivers\sysaudio.sys
0xB7B12000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB7A81000 \SystemRoot\System32\Drivers\HTTP.sys
0xB7912000 \SystemRoot\system32\DRIVERS\srv.sys
0xB7CA2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB78A2000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xF87F6000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB625A000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 55):
0 System Idle Process
4 System
900 C:\WINDOWS\system32\smss.exe
948 csrss.exe
976 C:\WINDOWS\system32\winlogon.exe
1040 C:\WINDOWS\system32\services.exe
1052 C:\WINDOWS\system32\lsass.exe
1196 C:\WINDOWS\system32\svchost.exe
1272 C:\WINDOWS\system32\ati2evxx.exe
1308 C:\WINDOWS\system32\svchost.exe
1424 svchost.exe
1444 C:\WINDOWS\system32\svchost.exe
1596 C:\WINDOWS\system32\svchost.exe
1724 svchost.exe
1864 svchost.exe
1964 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
724 C:\WINDOWS\system32\ati2evxx.exe
816 C:\WINDOWS\explorer.exe
620 C:\WINDOWS\system32\WLTRYSVC.EXE
636 C:\WINDOWS\system32\BCMWLTRY.EXE
684 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
580 C:\WINDOWS\system32\spoolsv.exe
1540 svchost.exe
1340 D:\Adobe Photoshop Elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
1664 C:\Program Files\Bonjour\mDNSResponder.exe
1944 C:\WINDOWS\system32\svchost.exe
2232 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
3076 C:\Program Files\Java\jre6\bin\jqs.exe
3208 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
3344 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
3508 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
3700 svchost.exe
3748 C:\WINDOWS\system32\svchost.exe
3836 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
3872 C:\Program Files\Viewpoint\Common\ViewpointService.exe
4000 mcrdsvc.exe
772 wmiprvse.exe
2160 alg.exe
2908 C:\WINDOWS\ehome\ehtray.exe
2924 C:\WINDOWS\stsystra.exe
2928 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
2988 C:\WINDOWS\system32\dla\tfswctrl.exe
3008 C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
2488 C:\Program Files\Java\jre6\bin\jusched.exe
3304 D:\Acrobat 9.0\Acrobat\acrotray.exe
3784 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
3800 C:\Program Files\Common Files\Corel\Standby\Standby.exe
1516 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
2800 C:\WINDOWS\system32\ctfmon.exe
304 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
3316 D:\SuperAntiSpyWare\SUPERAntiSpyware.exe
3972 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
2900 C:\WINDOWS\system32\wbem\wmiapsrv.exe
652 C:\Program Files\Mozilla Firefox\firefox.exe
1488 C:\Documents and Settings\Kevin Bento\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`cdd44a00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM120JI, Rev: YF100-15

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: C80AFA2E51BB6A5C1C73F2412E41E574CB37CACE


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

=================================================================
 
ComboFix.txt

Hi again Broni. Below is the cut and pasted results from ComboFix.txt.

Thanks again for your help. Looking forward to the next steps!

=================================================================
ComboFix 10-10-11.02 - Kevin Bento 10/12/2010 1:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.214 [GMT -4:00]
Running from: c:\documents and settings\Kevin Bento\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Microsoft
c:\program files\Internet Explorer\svchost.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\desktop
c:\windows\system32\AutoRun.inf
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
.

2010-10-11 21:40 . 2010-10-11 21:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-11 08:45 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 08:45 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\Kevin Bento\Application Data\SUPERAntiSpyware.com
2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-11 02:13 . 2010-10-11 07:05 2256 ----a-w- c:\documents and settings\Kevin Bento\Application Data\sdfsfs.bat
2010-10-11 02:13 . 2010-10-11 07:05 147 ----a-w- c:\documents and settings\Kevin Bento\Application Data\dsfsds.bat
2010-10-11 02:12 . 2010-10-11 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-09 23:59 . 2010-10-09 23:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-10-09 23:32 . 2010-10-09 23:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-10-09 23:29 . 2010-10-09 23:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-10-09 22:11 . 2010-10-09 22:11 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"SUPERAntiSpyware"="d:\superantispyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Acrobat Speed Launcher"="d:\acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="d:\acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2009-12-17 105632]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
urkyip.exe [2010-10-10 139264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
irag.exe [2010-10-10 139264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\superantispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Adobe Photoshop Elements 8\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/25/2008 3:48 PM 165584]
R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;d:\adobe photoshop elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [10/9/2009 6:45 AM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/25/2008 3:48 PM 17744]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/16/2009 12:03 AM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=
FF - plugin: c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: d:\acrobat 9.0\Acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Basement Ideas - f:\basement ideas\uninstall.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
d:\superantispyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(656)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-10-12 01:48:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-12 05:48

Pre-Run: 3,178,823,680 bytes free
Post-Run: 3,122,503,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 268298CBA743346586EB62997F5FB953
=================================================================
 
It looks like Combofix took care of really nasty bootkit :)

======================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

========================================================================

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\urkyip.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\irag.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Hi Broni!

Thanks for the advice on the ViewPoint Software. I had Viewpoint Media Player which was used rarely. As such, I deleted it.

After running ComboFix again by dragging and dropping the notepad file with the copied and pasted script, here is the log that resulted after this scan:

===================================================================
ComboFix 10-10-11.02 - Kevin Bento 10/13/2010 0:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.182 [GMT -4:00]
Running from: c:\documents and settings\Kevin Bento\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin Bento\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\urkyip.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\irag.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\urkyip.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\irag.exe

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-11 21:40 . 2010-10-11 21:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-11 08:45 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 08:45 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\Kevin Bento\Application Data\SUPERAntiSpyware.com
2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-11 02:13 . 2010-10-11 07:05 2256 ----a-w- c:\documents and settings\Kevin Bento\Application Data\sdfsfs.bat
2010-10-11 02:13 . 2010-10-11 07:05 147 ----a-w- c:\documents and settings\Kevin Bento\Application Data\dsfsds.bat
2010-10-11 02:12 . 2010-10-11 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-09 23:59 . 2010-10-09 23:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-10-09 23:32 . 2010-10-09 23:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-10-09 23:29 . 2010-10-09 23:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-10-09 22:11 . 2010-10-09 22:11 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"SUPERAntiSpyware"="d:\superantispyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Acrobat Speed Launcher"="d:\acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="d:\acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2009-12-17 105632]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\superantispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Adobe Photoshop Elements 8\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/25/2008 3:48 PM 165584]
R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;d:\adobe photoshop elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [10/9/2009 6:45 AM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/25/2008 3:48 PM 17744]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=
FF - plugin: c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\acrobat 9.0\Acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
d:\superantispyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-10-13 00:44:29
ComboFix-quarantined-files.txt 2010-10-13 04:43
ComboFix2.txt 2010-10-12 05:48

Pre-Run: 3,010,867,200 bytes free
Post-Run: 2,954,547,200 bytes free

- - End Of File - - 8DCD295B5B030631E0759EBF2690CCF2
 
Hi Broni,

As you requested: here is the lates MBRCheck Log:

===================================================================
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 155):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF8A26000 \WINDOWS\system32\KDCOM.DLL
0xF8936000 \WINDOWS\system32\BOOTVID.dll
0xF83F7000 ACPI.sys
0xF8A28000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF83E6000 pci.sys
0xF8526000 isapnp.sys
0xF893A000 compbatt.sys
0xF893E000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8AEE000 pciide.sys
0xF87A6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8536000 MountMgr.sys
0xF83C7000 ftdisk.sys
0xF83A1000 dmio.sys
0xF87AE000 PartMgr.sys
0xF8546000 VolSnap.sys
0xF8389000 atapi.sys
0xF8556000 disk.sys
0xF8566000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8369000 fltmgr.sys
0xF8357000 sr.sys
0xF8341000 drvmcdb.sys
0xF8576000 PxHelp20.sys
0xF832A000 KSecDD.sys
0xF829D000 Ntfs.sys
0xF8270000 NDIS.sys
0xF8586000 sbp2port.sys
0xF8596000 ohci1394.sys
0xF85A6000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8256000 Mup.sys
0xF8646000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8A16000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF72FA000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF72E6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF72BE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7256000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF886E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7232000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8876000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8656000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF721E000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF887E000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF8666000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF71D2000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF8676000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF71A3000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF8A4C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8886000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF888E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8686000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8A4E000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF8696000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF86A6000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7180000 \SystemRoot\system32\DRIVERS\ks.sys
0xF822E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF8B40000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF86B6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8226000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7169000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF86C6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF86D6000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF889E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7158000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86E6000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88A6000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88AE000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7088000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF86F6000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A54000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF702A000 \SystemRoot\system32\DRIVERS\update.sys
0xF74AE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF88B6000 \SystemRoot\system32\DRIVERS\omci.sys
0xF8706000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF2EA8000 \SystemRoot\system32\drivers\sthda.sys
0xF2E84000 \SystemRoot\system32\drivers\portcls.sys
0xF8736000 \SystemRoot\system32\drivers\drmk.sys
0xF2E52000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xF2D55000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF2CA5000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF88C6000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8746000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A02000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF8A68000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C26000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A6A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF88D6000 \SystemRoot\system32\drivers\ssrtln.sys
0xF88DE000 \SystemRoot\System32\drivers\vga.sys
0xF8A6C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A6E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF88E6000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF88EE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8A06000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF2C22000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF2BC9000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF8756000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF2BA3000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF2B7B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF2AFA000 \SystemRoot\System32\vsdatant.sys
0xF2AD8000 \SystemRoot\System32\drivers\afd.sys
0xF8766000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF8786000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xF0E9C000 \??\D:\SuperAntiSpyWare\SASKUTIL.SYS
0xF2AB4000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF85E6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8916000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF85F6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF891E000 \??\D:\SuperAntiSpyWare\SASDIFSV.SYS
0xF0E71000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF0E01000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8606000 \SystemRoot\System32\Drivers\Fips.SYS
0xF2AA4000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF0DDA000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF2AA0000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xF2A9C000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF892E000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF8626000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF0D9A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8AD2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF2C45000 \SystemRoot\System32\drivers\Dxapi.sys
0xF87BE000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8BCD000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0DC000 \SystemRoot\System32\ati3duag.dll
0xBF37D000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF2C3D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF0EFE000 \SystemRoot\system32\drivers\drvnddm.sys
0xF8C22000 \SystemRoot\system32\dla\tfsndres.sys
0xEEC44000 \SystemRoot\system32\dla\tfsnifs.sys
0xEECCE000 \SystemRoot\system32\dla\tfsnopio.sys
0xF8A5A000 \SystemRoot\system32\dla\tfsnpool.sys
0xF87F6000 \SystemRoot\system32\dla\tfsnboio.sys
0xF0EEE000 \SystemRoot\system32\dla\tfsncofs.sys
0xF8BF5000 \SystemRoot\system32\dla\tfsndrct.sys
0xEEC2B000 \SystemRoot\system32\dla\tfsnudf.sys
0xEEC12000 \SystemRoot\system32\dla\tfsnudfa.sys
0xEEC72000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEE7C3000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xEE5F6000 \SystemRoot\system32\drivers\wdmaud.sys
0xEE81A000 \SystemRoot\system32\drivers\sysaudio.sys
0xEE57B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEE44A000 \SystemRoot\System32\Drivers\HTTP.sys
0xEE303000 \SystemRoot\system32\DRIVERS\srv.sys
0xEE497000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE6B3000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xF87FE000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF8AB2000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF8866000 \??\C:\DOCUME~1\KEVINB~1\LOCALS~1\Temp\catchme.sys
0xF884E000 \??\C:\DOCUME~1\KEVINB~1\LOCALS~1\Temp\mbr.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
892 C:\WINDOWS\system32\smss.exe
948 csrss.exe
984 C:\WINDOWS\system32\winlogon.exe
1028 C:\WINDOWS\system32\services.exe
1040 C:\WINDOWS\system32\lsass.exe
1236 C:\WINDOWS\system32\ati2evxx.exe
1252 C:\WINDOWS\system32\svchost.exe
1336 svchost.exe
1480 C:\WINDOWS\system32\svchost.exe
1632 svchost.exe
1708 svchost.exe
1760 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
288 C:\WINDOWS\system32\ati2evxx.exe
1276 C:\WINDOWS\system32\BCMWLTRY.EXE
1416 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
2028 C:\WINDOWS\system32\spoolsv.exe
1172 svchost.exe
1112 D:\Adobe Photoshop Elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
1560 C:\Program Files\Bonjour\mDNSResponder.exe
1592 C:\WINDOWS\system32\svchost.exe
1908 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
2200 C:\Program Files\Java\jre6\bin\jqs.exe
2216 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2268 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
2372 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
2616 svchost.exe
2652 C:\WINDOWS\system32\svchost.exe
2744 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2812 mcrdsvc.exe
3740 wmiprvse.exe
3840 alg.exe
2336 C:\WINDOWS\ehome\ehtray.exe
2388 C:\WINDOWS\stsystra.exe
2456 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
2528 C:\WINDOWS\system32\dla\tfswctrl.exe
2700 C:\Program Files\Java\jre6\bin\jusched.exe
2452 D:\Acrobat 9.0\Acrobat\acrotray.exe
2824 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
3200 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
3352 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
1840 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3908 C:\WINDOWS\system32\notepad.exe
3844 C:\WINDOWS\explorer.exe
268 C:\Program Files\Mozilla Firefox\firefox.exe
1672 C:\Program Files\Mozilla Firefox\plugin-container.exe
2960 C:\Program Files\Common Files\Corel\Standby\Standby.exe
724 C:\Documents and Settings\Kevin Bento\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`cdd44a00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM120JI, Rev: YF100-15

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Looks good :)

How is computer doing at the moment?

My bed time is coming, so I'll leave you with a homework :)

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Broni,

My computer is already running 1000 times smoother so far. Thanks! :)

OTL.txt and Extras.txt are too large and exceed the character limit for replies. Hope you dont mind if I attach them instead.

Looking forward to your further expertise!
 

Attachments

  • OTL.Txt
    113.3 KB · Views: 1
  • Extras.Txt
    48 KB · Views: 1
I'm glad to hear very good news :)

Your computer would greatly benefit from installing another 512MB of RAM.

You're running dangerously low on C drive free space:
Drive C: | 79.17 Gb Total Space | 2.75 Gb Free Space | 3.47% Space Free
Click to expand...
Your computer may not boot anymore one morning.
It's high time to start moving some stuff out.

=======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

=========================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
[2010/03/14 17:32:27 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\AED75B494C.sys
[2006/10/14 00:08:45 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\406232B632.sys
[2010/10/12 23:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/10/12 23:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Bento\Application Data\Viewpoint
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B7BEAFF


:Services

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" =-

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Broni,

Thanks for the computer advice. I am going to free up more space on my hard drive, as I have an external drive that I can use. My iTunes and Music Library is taking up ALOT of space. I have to see what I can do.

I will also research the best places to purchase and the prices on 512 MB RAM.

I installed Java as you asked.

I also ran OTL as you asked. I have attached the log. It is the first attachment.

Attached also is the Security Check log. It is the second attachment

I ran TFC with success and rebooted my computer

I then ran ESET. I didnt quite follow the instructions after the scan was done. It seemed to produce a log even tough I didnt push "list of threats found" and "export to text file". I have attached the aforementioned log as attachment 3.

If any of the above scans need to be redone, please let me know. I will be glad to scan in again for the sake of fixing my computer and your expert advice!

Thanks as always and looking forward to next steps later on tonight (I have access to this computer again tonight around 11 pm ET).
 

Attachments

  • 10142010_004249.log
    9.3 KB · Views: 1
  • checkup.txt
    842 bytes · Views: 1
  • log.txt
    2.1 KB · Views: 1
All files found by Eset will be removed in our next, last step.....

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.
 
Hi Broni,

Looks like we are coming close to the end!

I took your advice and downloaded all the programs you recommended. I allowed PSI to update all my programs.

I wanted to run the ESET Virus scanner again and follow your directions this time (I had to rush through the ESET steps the last time). ESET found one threat still however. I attached the log of the scan as attachment 1.

I then ran a quick scan of Malware Bytes. It found no threats. I posted the log of the scan as attachment 2.

I would like to know why there was something found for ESET but not for Malware Bytes. Could it be that ESET picked a random file on my computer and called it a threat even though it was not? I know some anti-virus/malware programs do this to encourage a user to upgrade to the registered version.

I am also wondering why you don't recommend that a program like ESET remove the threats it finds, rather you'd want someone to remove via OTL. Should I follow this procedure everytime ESET or Malware Bytes finds a threat?

You don't seem to recommend ESET to use on a regular basis in your last post. Should I get rid of it?

For attachment 3, I provided the log for the OTL Custom Scan Fix as you requested in your last reply.

Please review all the attached along with the questions to provide your expertise.

Finally, as mentioned, my computer runs great now. Start up is a bit slow, but I'd hope that once I free up more C:\ space, I'll do better. One thing I notice on startup is a small window that opens up and closes very quickly to the point where I can't even read what it says (if it says anything at all). I'm wondering if you have any idea?

I would like to once again say THANK YOU for providing your expertise and time to help me. My life is on my computer. And you saved my computer. So does that mean you saved my life? Pretty much! ;) This will not go overlooked. I promise you.

Looking forward to hearing from you further.
 

Attachments

  • ESET 2nd Log.txt
    135 bytes · Views: 1
  • mbam-log-2010-10-15 (23-34-32).txt
    897 bytes · Views: 0
  • 10142010_232425.log
    4.4 KB · Views: 1
You're welcome and I'm glad to see you and your computer happy.

I would like to know why there was something found for ESET but not for Malware Bytes.
Click to expand...
There is a reason, why we run different scans.
No single tool is perfect. Something missed by one will be found by another tool.
Keygens will trigger many programs, even, if the file is perfectly clean. Keygen's structure may be simply matching some malicious files patterns.
Whenever in doubt, there are couple of places, you can upload suspicious file for security check:
http://www.virustotal.com/
http://virusscan.jotti.org/en-gb

I am also wondering why you don't recommend that a program like ESET remove the threats it finds, rather you'd want someone to remove via OTL.
Click to expand...
Scanners make mistakes (false positives) and since this is not my computer, but yours, I want to make sure, no important file is about to be removed. Just feeling responsible for your computer :)
You can keep Eset and run it, if you wish to.
Just....if any doubt about some finding...we're around here to help :)

Good luck and stay safe :)
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
liltxkg
Inactive Cleanup Help - File Explorer Freezing
Replies
6
Views
2K
Broni
Broni

Latest posts

Back