Solved [Active] 2 Hijack viruses (at least) and slowdown/freeze problem - 8 steps

Status
Not open for further replies.
T

tullriles

Posts: 16   +0
Hi,
My first post since joing the forum last week.

- One virus won't let me near the website for windows update. This is occurring in both Explorer and Mozilla Firefox.
- Another virus is re-routing me to various websites, very often associated with google.com/webhp
- Some processes are causing my CPU to slow down to a snail's pace, and sometimes freeze.

Any help with the above would be appreciated....thanks in advance.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4329

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/20/2010 5:36:12 AM
mbam-log-2010-07-20 (05-36-12).txt

Scan type: Quick scan
Objects scanned: 140595
Time elapsed: 8 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-20 06:40:26
Windows 5.1.2600 Service Pack 3
Running: segn9us2.exe; Driver: C:\DOCUME~1\bob\LOCALS~1\Temp\awrdapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5408CD2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5408B8E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF5409142]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF540906C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5408764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5408C68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF54086A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5408708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5408D88]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF5409210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5408D48]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5408EC8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF5415B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF54159C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF5415AFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP F5412F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP F54159C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP F5415BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP F54115B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP F5415AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7F00340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[3892] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[3892] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[3892] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[3892] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[3892] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0097000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat EDE83D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

---- EOF - GMER 1.0.15 ----
 

Attachments

  • Attach.txt
    13.5 KB · Views: 1
  • DDS.txt
    13.2 KB · Views: 1
Good Morning! I'll help you out. While I check these logs, please go ahead and run the following:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
============================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
Thanks, Bobbye, for jumping in to help. (And a good morning to you also).
Here are the Combofix and Eset results:

ComboFix 10-07-19.04 - bob 07/20/2010 9:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.41 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\RdXIe.dll
c:\windows\Readme.txt
c:\windows\system32\download
c:\windows\system32\drivers\remove_spyware_button.gif
c:\windows\system32\keylog.txt
c:\windows\system32\lclcfg32.ini
c:\windows\system32\lfd32.ini
c:\windows\system32\mirc.ini
c:\windows\system32\sl.bin
c:\windows\system32\sounds
c:\windows\tempf.txt

Infected copy of c:\windows\system32\drivers\agp440.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-07-11 20:46 . 2010-07-11 20:51 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 14:35 . 2010-07-09 14:35 -------- d-----w- c:\documents and settings\bob\Local Settings\Application Data\Threat Expert
2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-05 13:21 . 2010-07-09 16:03 -------- d-----w- c:\documents and settings\bob\Local Settings\Application Data\gnorigsky

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 18:23 . 2005-10-27 01:37 -------- d-----w- c:\program files\Lx_cats
2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-07-11 20:51 . 2010-03-07 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-09 16:49 . 2010-03-08 21:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"LXCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParetoLogic Anti-Virus PLUS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 7:49 AM 24652]
S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys [3/9/2010 2:15 PM 15944]
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{A167FA36-FF62-4DF8-8276-4C64416F0594} - (no file)
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 09:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-07-20 10:08:49
ComboFix-quarantined-files.txt 2010-07-20 14:08

Pre-Run: 36,332,167,168 bytes free
Post-Run: 36,347,924,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A8B660F9D1372F5B149731900677A39E


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=061bd8e71874aa40bc18c1bec8475654
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-07-20 03:11:38
# local_time=2010-07-20 11:11:38 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 9458471 9458471 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=85137
# found=3
# cleaned=0
# scan_time=3189
C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe Win32/Adware.WBug.A application 86D151CC9AE8A37F5828A59B22B29D7E I
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP171\A0049156.sys Win32/Olmarik.ZC trojan EF2AC2CD39EB94BDE34E60BAA6AF970F I
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll probably a variant of Win32/Agent trojan 0633B8BB987CE9E4F11AD8C20B594F98 I
 
Bobbye -

I noticed that my access to windowsupdate seems to have been repaired. I didn't want to change anything on my system without your permission, so I haven't done any windows updates.

I still have the other problems I documented. Please let me know if I should allow windows updates in the meantime.

Thanks,
Bob
 
Bob, hold off on the Windows Updates:

Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni
=================================

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	

:Services

:Reg

:Files  
C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe 
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

IF you still have Weatherbug on the system, please uninstall it and remove the program folder in Windows Explorer.
 
When you have finished with my Reply #5, continue with this: I am removing several redundant security entries. You were running multiple antivirus programs. I have also moved Hitman Pro. That program is a bundle of free programs available on the internet, most being used without the permission of the authors.

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys
c:\program files\common files\ParetoLogic

Folder::
c:\documents and settings\bob\Local Settings\Application Data\Threat Expert
c:\documents and settings\bob\Local Settings\Application Data\gnorigsky
c:\documents and settings\All Users\Application Data\ParetoLogic
c:\documents and settings\All Users\Application Data\TEMP
DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A167FA36-FF62-4DF8-8276-4C64416F0594} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; iebar; .NET CLR 1.0.3705; .NET CLR 2.0.50727; IEMB3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; IEMB3)" -"http://pool.bz/P/Player/?@4AALW4BNyW3CNqW4DAVy2PGdq2qQtFBall_in_Hand_Behind_the_Center_Line_&ZZ@"
mPolicies-explorer: <NO NAME> = 
mPolicies-system: EnableLUA = 0 (0x0)

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParetoLogic Anti-Virus PLUS
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

Driver::
Viewpoint Manager Service
hitmanpro35
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
If you have any of the following on Startup, please uncheck them:
Easy CD & DVD Creator or
DirectCD or
Drag-to-Disc or
Easy CD Creator 5 Basic or
Roxio Easy Media Creator by Roxio (www.roxio.com) or
Sonic Solutions (www.sonic.com).
=============================================
Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:

  1. [1]. Download the Flash Player Uninstaller and save it to your desktop.
    Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/
    [2]. Double-click the setup and run the uninstaller program.
    [3]. Reboot your computer to complete the uninstall
    [4]. Download latest version of Flash Player HERE and save to the desktop.
    [5]. Double click the setup and run to install. Reboot when through.

Once the new version is installed, follow the directions to disable the auto-updater.

  1. [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
    Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
    [2] Windows: Right click the Shockwave movie.
    [3] From the drop down menu choose "Properties".
    [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
    http://kb.adobe.com/selfservice/view...6683&sliceId=1
 
Bobbye, Thanks for the guidance and the clear directions.

I scoured my system looking for weatherbug, but couldn't find anything, so I didn't take any action.

I was also unaware that I was running multiple anti-virus software. The only one I was aware of was AVAST. Thanks for pointing that out.

Here are my latest results:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: bob
->Temp folder emptied: 241352 bytes
->Temporary Internet Files folder emptied: 47376798 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3154555 bytes
->Flash cache emptied: 3018 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 540806 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 2584 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 131206 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 777 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 49.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 07242010_145717

Files moved on Reboot...
File C:\Documents and Settings\bob\Local Settings\Temp\~DFC014.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DFC061.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DFC131.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DFC187.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DFC40A.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DFC44F.tmp not found!
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\XDJW7NL3\sh21[1].html moved successfully.
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\NTB79LL7\01[1].htm moved successfully.
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\NTB79LL7\adsCAWP42IQ.htm moved successfully.
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\NTB79LL7\topic150301[3].html moved successfully.
File C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...


ComboFix 10-07-23.04 - bob 07/24/2010 15:18:55.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.96 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\common files\ParetoLogic"
"c:\program files\Viewpoint\Common\ViewpointService.exe"
"c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ParetoLogic
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\bob\Local Settings\Application Data\gnorigsky
c:\documents and settings\bob\Local Settings\Application Data\Threat Expert
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HITMANPRO35
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_hitmanpro35
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-07-11 20:46 . 2010-07-11 20:51 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 03:34 . 2005-10-27 01:37 -------- d-----w- c:\program files\Lx_cats
2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"LXCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 15:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-24 15:47:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 19:46
ComboFix2.txt 2010-07-20 14:08

Pre-Run: 36,574,068,736 bytes free
Post-Run: 36,459,098,112 bytes free

- - End Of File - - C13D5EADC41EE3E48DC7633DEA591EB0
 
Thank you for pasting all the logs. It allows me to search directly from my browser and saves considerable time. Looks look- just a few entries to move:

CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
KillAll::
File::

Folder::
c:\program files\Common Files\ParetoLogic
c:\program files\Lx_cats

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCCCATS"=-
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Choose v2.0.4

Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Are you noticing any improvements? What malware related problems remain?
 
Thanks again, Bobbye.
- As I reported Friday, I seem to be able to access the windows update website, but have not done any updates yet. I will wait until I get the "go ahead" from you on that.
- My other hijack problem has not recurred in the last few days, so hopefully that has been resolved also.
- I have noticed some improvement in my CPU processing time, but the boot process still seems slower than it should be, and when I run Google Earth (which is very data intensive), it seems to slow down the machine quite a bit.

One question....When I start internet explorer, is it normal to see 2 processes in the Program Manager called iexplore.exe? This seems a little strange to me, but maybe it's normal.

Thanks,
Bob

Here are my latest Combofix log and HIJACKTHIS log (2 posts...can't fit it into 1)

ComboFix 10-07-24.04 - bob 07/25/2010 22:11:54.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.101 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\ParetoLogic
c:\program files\Lx_cats
c:\program files\Lx_cats\23A018502001G7I.A00
c:\program files\Lx_cats\23A018502001G7I.A01
c:\program files\Lx_cats\23A018502001G7I.A02
c:\program files\Lx_cats\lxccCATS.INI
c:\program files\Lx_cats\lxccdefs.xml

.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-07-26 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 22:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3780)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-25 22:39:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-26 02:39
ComboFix2.txt 2010-07-24 19:47
ComboFix3.txt 2010-07-20 14:08

Pre-Run: 36,241,571,840 bytes free
Post-Run: 36,279,250,944 bytes free

- - End Of File - - F2F834125FAF435441C6420210541815
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:51:20 PM, on 7/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {1116F0D1-1161-4B26-9F76-CAA8F0F1673E} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {2E430047-8E8D-44C9-84B0-F2E80365ACE4} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C677BD4A-D567-40FC-8558-33A992D26222} - http://www.comcast.net (file missing) (HKCU)
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/39.22/uploader2.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = teleran.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1c9cfd9aeca5742) (gupdate1c9cfd9aeca5742) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 9504 bytes
 
When I start internet explorer, is it normal to see 2 processes in the Program Manager called iexplore.exe?
Click to expand...
For IEv8, this is normal to have multiple iexplore.exe processes. Malware can also hide in them but I had you check for that with the Bootkit Remover, which was clean..

Bob, I'm checking Combofix now, but I want you to go ahead and run HijackThis. I found your hijacker. If you has this first entry set intentionally, you need to have HJT remove it- it's a "dirty" site with a bad reputation:

Please reopen HijackThis to 'do system scan only'. Check each of the following if present:
NOTE: Optional removals are color coded. Read the descriptions at the end of the log before you check for removal.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Help - {1116F0D1-1161-4B26-9F76-CAA8F0F1673E} - http://www.comcast.net/memberservices/ (file missing) (HKCU)See Option 1
O9 - Extra button: Support - {2E430047-8E8D-44C9-84B0-F2E80365ACE4} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C677BD4A-D567-40FC-8558-33A992D26222} - http://www.comcast.net (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = teleran.comSee Option 2

Option 1: If you are no longer using these Comcast services, you can remove these entries.
Option 2: There is an entry in the HJT log for Teleran.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = teleran.com
This appears to be for "Application Usage Management: Managing Application Users to Improve Business Performance, Ensure Compliance and Reduce Costs." Is this a work computer? And "IT organizations get a comprehensive picture of their entire application ecosystem to quickly address performance, compliance and operational issues before they impact the business."

Close all Windows except HijackThis and click on "Fix Checked"
 
Will try again to see what's in these Registry keys:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
The Java is still outdated: Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
 
Bobbye - Thank you again.

I ran the HiJackThis and it cleaned up all 7 items on the list. The Telaran.com item was from a company I had done work for earlier this year, and I no longer need connectivity to their system. I also decided the COMCAST entries were unimportant to my needs, so they're gone, too.

I ran Combofix with your new parameters, and am including the log.

I installed the latest Java, which the website said was going to use 10 MB when I installed, but actually used 90 MB.

ComboFix 10-07-24.06 - bob 07/26/2010 21:16:35.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.106 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-26 02:49 . 2010-07-26 02:49 -------- d-----w- c:\program files\Trend Micro
2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 02:49 . 2010-07-26 02:49 388096 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-07-26 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 21:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1560)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-26 21:37:56
ComboFix-quarantined-files.txt 2010-07-27 01:37
ComboFix2.txt 2010-07-26 02:39
ComboFix3.txt 2010-07-24 19:47
ComboFix4.txt 2010-07-20 14:08

Pre-Run: 36,126,875,648 bytes free
Post-Run: 36,163,354,624 bytes free

- - End Of File - - D4A466A838A66C583D6A408B5E0C0208
 
You weren't dumped and I don't appreciate you starting a thread accusing me of it. Your thread apparently passed on the the second page and/or I didn't get notification of the reply.

I will continue here after deleting the other thread.
 
One virus won't let me near the website for windows update. This is occurring in both Explorer and Mozilla Firefox.
- Another virus is re-routing me to various websites, very often associated with google.com/webhp
- Some processes are causing my CPU to slow down to a snail's pace, and sometimes freeze.
Click to expand...
Has anything changed? Problem gone? Better?

1.Windows updates are a thorn in almost everyone's side. How do you know that 'a virus' is preventing accessing the site? Do you get a message? What?
2. The redirecting is from malware and that's what I am having you work on.
3. Prepare the system for shutdown by closing all programs or active Windows. Open the Task Manager and see what processes have high CPU use. Task Manager should then only have use showing in taskmgr, System Idle and System. These three should add up to 100%- if a process shows 1-2%CPU, ignore it- you're looking for high use.
======================================
Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File:
DirLook::
C:\symbols
RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
The only drivers/Services running are 2 for Avast and 1 for Google update. Usually there are multiple others driver/Services listed.

You have the following entries: do you know what they are?
2010-07-14 09:40 : Folder> c:\documents and settings\NetworkService\Application Data\FileOpen
2010-05-06: Folder> c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
2010-07-14: Folder> c:\documents and settings\LocalService\Application Data\FileOpen
c:\program files\Glary Registry Repair
2010-07-14: Folder> c:\documents and settings\bob\Application Data\Uniblue

The last 2 entries show activity from a Registry cleaner. We do not recommend anyone using a Registry cleaner, but if they do, not during cleaning.

In the future, if you have a problem of some kind with a helper, you are asked to send a PM the helper.
 
In the future, if you have a problem of some kind with a helper, you are asked to send a PM the helper.[/QUOTE]

I tried to PM you last Saturday, but the forum rules would not allow me to send a PM because I didn't have a post count greater than 30.

I created a thread in "introductions" last Saturday and responded to it 30 times so I could get a high enough count to PM you. Someone deleted it.

I told my family 11 days ago NOT to touch the computer because BOBBYE was helping me. Then I spent 8 of those days watching you help several other people multiple times a day, with absolutely no communication from you. I had no other way to get your attention than to start that other thread.

If I can't PM you, and you aren't responding to this thread after several days, what other course of action do you recommend?


Back to business: I'm pretty sure I don't need any of those Glary or UNIBLUE files from 7/14 that you asked about. I was trying to fix my system on my own at that time before I started working with you. I have no idea what that FileOpenNew.exe is from 5/6, so if we're getting rid of stuff, that should probably go, too.

As for my original problems, I have access to windows updates again, but per your instructions last Saturday I'm still waiting to do any updating.

My "redirect" virus also seems to have gone away.

When I look at task manager (with all programs and active windows closed,) I see exactly what you described. The system idle and taskmgr are the only processes showing CPU percentage.

I'll post the Combofix results in my next post.
 
I would ask that you try to keep in mind that we are all volunteers, that you are getting free help and that occasionally, our own lives take precedent. And most importantly, I am human and therefore not perfect.

You can run this script also:
Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::

Folder::
c:\documents and settings\NetworkService\Application Data\FileOpen
c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
c:\documents and settings\LocalService\Application Data\FileOpen
c:\program files\Glary Registry Repair
c:\documents and settings\bob\Application Data\Uniblue
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	

:Services

:Reg

:Files 
C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
I just finished the first Combofix when I got the new instructions. Here's the first log, and my next post will contain the most recent set.

ComboFix 10-07-31.01 - bob 07/31/2010 13:49:49.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.99 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-27 02:02 . 2010-07-27 02:02 -------- d-----w- c:\program files\Common Files\Java
2010-07-27 02:01 . 2010-07-27 02:01 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 02:49 . 2010-07-26 02:49 -------- d-----w- c:\program files\Trend Micro
2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-14 22:43 . 2010-07-14 22:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
2010-07-14 17:53 . 2010-07-14 17:53 -------- d-----w- c:\program files\Glary Registry Repair
2010-07-14 14:31 . 2010-07-14 14:31 -------- d-----w- c:\documents and settings\bob\Application Data\Uniblue
2010-07-14 09:40 . 2010-07-14 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 02:02 . 2010-07-27 02:02 503808 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcp71.dll
2010-07-27 02:02 . 2010-07-27 02:02 61440 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-sse.dll
2010-07-27 02:02 . 2010-07-27 02:02 499712 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\jmc.dll
2010-07-27 02:02 . 2010-07-27 02:02 348160 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcr71.dll
2010-07-27 02:02 . 2010-07-27 02:02 12800 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-d3d.dll
2010-07-27 02:00 . 2006-02-18 17:46 -------- d-----w- c:\program files\Java
2010-07-26 02:49 . 2010-07-26 02:49 388096 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\symbols ----

2003-11-18 20:39 . 2003-11-18 20:39 410624 ----a-w- c:\symbols\dll\winhttp.pdb
2003-11-18 17:24 . 2003-11-18 17:24 115712 ----a-w- c:\symbols\dll\efsadu.pdb
2003-10-17 15:19 . 2003-10-17 15:19 1262592 ----a-w- c:\symbols\dll\crypt32.pdb
2003-10-14 09:10 . 2003-10-14 09:10 263168 ----a-w- c:\symbols\dll\wintrust.pdb
2003-10-14 09:10 . 2003-10-14 09:10 156672 ----a-w- c:\symbols\dll\cryptnet.pdb


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-07-24 20:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
S2 gupdate1c9cfd9aeca5742;Google Update Service (gupdate1c9cfd9aeca5742);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:36 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 14:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2900)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-31 14:16:23
ComboFix-quarantined-files.txt 2010-07-31 18:16
ComboFix2.txt 2010-07-27 01:37
ComboFix3.txt 2010-07-26 02:39
ComboFix4.txt 2010-07-24 19:47
ComboFix5.txt 2010-07-31 17:46

Pre-Run: 36,276,846,592 bytes free
Post-Run: 36,335,407,104 bytes free

- - End Of File - - 787C276C756900FD7E5080B83D8F7F1D
 
I've run both Combofix and OTMoveit per your instructions. How do things look to you?


ComboFix 10-07-31.01 - bob 07/31/2010 14:29:51.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.104 [GMT -4:00]
Running from: c:\documents and settings\bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\bob\Application Data\Uniblue
c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\backup\20100714.103849.zip
c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\error.log
c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\last_scan.dat
c:\documents and settings\bob\Application Data\Uniblue\RegistryBooster\settings.dat
c:\documents and settings\LocalService\Application Data\FileOpen
c:\documents and settings\LocalService\Application Data\FileOpen\Fowpmadi.txt
c:\documents and settings\NetworkService\Application Data\FileOpen
c:\documents and settings\NetworkService\Application Data\FileOpen\Fowpmadi.txt
c:\program files\Glary Registry Repair
c:\program files\Glary Registry Repair\data\registry.dat
c:\program files\Glary Registry Repair\data\xdata.dat
c:\program files\Glary Registry Repair\help.chm
c:\program files\Glary Registry Repair\languages\Chinese(Traditional).lng
c:\program files\Glary Registry Repair\languages\chinese.lng
c:\program files\Glary Registry Repair\languages\dutch.lng
c:\program files\Glary Registry Repair\languages\english.lng
c:\program files\Glary Registry Repair\languages\french.lng
c:\program files\Glary Registry Repair\languages\German.lng
c:\program files\Glary Registry Repair\languages\hungarian.lng
c:\program files\Glary Registry Repair\languages\italian.lng
c:\program files\Glary Registry Repair\languages\japanese.lng
c:\program files\Glary Registry Repair\languages\Korean.lng
c:\program files\Glary Registry Repair\languages\polish.lng
c:\program files\Glary Registry Repair\languages\ptbr.lng
c:\program files\Glary Registry Repair\languages\russian.lng
c:\program files\Glary Registry Repair\languages\spanish.lng
c:\program files\Glary Registry Repair\languages\turkish.lng
c:\program files\Glary Registry Repair\license.txt
c:\program files\Glary Registry Repair\lockdll.dll
c:\program files\Glary Registry Repair\regrepair.exe
c:\program files\Glary Registry Repair\settings.ini
c:\program files\Glary Registry Repair\unins000.dat
c:\program files\Glary Registry Repair\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-27 02:02 . 2010-07-27 02:02 -------- d-----w- c:\program files\Common Files\Java
2010-07-27 02:01 . 2010-07-27 02:01 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 02:49 . 2010-07-26 02:49 -------- d-----w- c:\program files\Trend Micro
2010-07-24 20:03 . 2010-07-24 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-24 18:57 . 2010-07-24 18:57 -------- d-----w- C:\_OTM
2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\program files\7-Zip
2010-07-20 14:14 . 2010-07-20 14:14 -------- d-----w- c:\program files\ESET
2010-07-16 13:07 . 2010-07-16 13:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-14 19:29 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2010-07-14 19:28 . 2001-08-18 02:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-07-14 19:27 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-07-14 19:26 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-07-14 19:25 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-07-14 19:24 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-14 19:23 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-14 19:22 . 2001-08-18 02:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2010-07-14 19:21 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-07-14 19:20 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-07-14 19:19 . 2001-08-17 16:12 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
2010-07-14 19:18 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
2010-07-14 19:17 . 2001-08-17 17:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-07-14 19:17 . 2001-08-18 02:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-07-14 19:17 . 2001-08-18 02:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-07-14 19:17 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-07-14 19:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-07-14 18:20 . 2010-07-14 18:21 -------- d-----w- c:\program files\Glary Utilities
2010-07-14 17:53 . 2010-07-14 18:01 -------- d-----w- c:\documents and settings\bob\Application Data\GlarySoft
2010-07-14 09:39 . 2010-07-14 09:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-12 18:33 . 2010-07-12 18:33 -------- d-----w- C:\symbols
2010-07-12 17:54 . 2001-08-17 16:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2010-07-12 17:33 . 2001-08-17 16:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-07-10 22:08 . 2010-07-20 13:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 15:57 . 2010-07-09 15:57 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 15:56 . 2010-07-09 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-09 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 15:55 . 2010-07-20 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 00:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 02:02 . 2010-07-27 02:02 503808 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcp71.dll
2010-07-27 02:02 . 2010-07-27 02:02 61440 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-sse.dll
2010-07-27 02:02 . 2010-07-27 02:02 499712 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\jmc.dll
2010-07-27 02:02 . 2010-07-27 02:02 348160 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-71b16453-n\msvcr71.dll
2010-07-27 02:02 . 2010-07-27 02:02 12800 ----a-w- c:\documents and settings\bob\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1e963998-n\decora-d3d.dll
2010-07-27 02:00 . 2006-02-18 17:46 -------- d-----w- c:\program files\Java
2010-07-26 02:49 . 2010-07-26 02:49 388096 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-24 20:04 . 2004-04-10 20:19 -------- d-----w- c:\program files\Google
2010-07-12 17:26 . 2010-07-14 22:43 158666 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 20:58 . 2010-03-07 22:36 442144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-07-11 20:32 . 2010-03-07 22:36 41420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-07-11 20:32 . 2010-03-07 22:36 218228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-11 20:32 . 2010-03-07 22:36 16979232 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-06 15:27 . 2009-10-01 14:59 -------- d-----w- c:\program files\CCleaner
2010-06-28 20:57 . 2010-03-22 10:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-22 10:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-22 10:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-22 10:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-22 10:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-22 10:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-22 10:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-22 10:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-06 14:18 . 2010-05-06 14:18 14846 ----a-r- c:\documents and settings\bob\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
2010-05-06 10:41 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-07-24 20:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/22/2010 6:58 AM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/22/2010 6:58 AM 17744]
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-14 15:14]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\lwkjalq7.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Glary Registry Repair_is1 - c:\program files\Glary Registry Repair\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 14:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-07-31 14:50:14
ComboFix-quarantined-files.txt 2010-07-31 18:50
ComboFix2.txt 2010-07-31 18:16
ComboFix3.txt 2010-07-27 01:37
ComboFix4.txt 2010-07-26 02:39
ComboFix5.txt 2010-07-31 18:28

Pre-Run: 36,344,590,336 bytes free
Post-Run: 36,327,788,544 bytes free

- - End Of File - - 56235F8D53C0331323B4584659E4A647

Here's the OTM log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Documents and Settings\bob\My Documents\Install_AIM_np.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: bob
->Temp folder emptied: 99840 bytes
->Temporary Internet Files folder emptied: 6562154 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 3856062 bytes
->Flash cache emptied: 2406 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 07312010_145435

Files moved on Reboot...
File C:\Documents and Settings\bob\Local Settings\Temp\~DF2F83.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DF2F97.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DF31AB.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DF31BD.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DF32B1.tmp not found!
File C:\Documents and Settings\bob\Local Settings\Temp\~DF32F5.tmp not found!
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\Z4A9G9TK\ads[3].htm moved successfully.
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\G8P0HXX5\topic150301[1].html moved successfully.
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\FA4I0PRK\ads[1].htm moved successfully.
C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\ECIN2VNA\sh21[1].html moved successfully.
File C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...
 
The system is clean. The redirects should have stopped. Check for the Windows Updates.

To do:
1. Empty the Java cache: Control Panel> Java, Temporary internet files section> Settings> Delete. Close
2. One left over files from the Glary repair: Search for FileOpenNew.exe> do a right click> Delete
3. To pick up some speed and keep CPU usage down, uncheck any entries for camera, scanner or printer, media player, Java and Adobe reader:

To remove entries from Startup using the msconfig utility:
  • Click on Start> Run> type in msconfig> enter>
  • Click on Selective Startup
  • Choose the Startup tab:
    This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
  • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  • Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if you need any more help.
 
Thanks Bobbye.

I think I've been out of touch with Windows Update for quite a while, because I've spent the last couple of hours catching up with critical updates.

I followed all your cleanup instructions, and everything seems good.

I appreciate all you've done to help, and I wish I could have found a better way to resolve our communication issue.

Take care,
Bob
 
You're welcome. Here are tips to help stay clean.


Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:
  • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance
  • Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
  • Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:
  • Antivirus Software(only one): Both of the following programs are free and known to be good:
    [o]Avira Free
    [o]Avast Home
  • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o] Zone Alarm
  • Antispyware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Left by Bobbye, your friendly volunteer who takes time out of life to help others- free.
 
Status
Not open for further replies.

Similar threads

A
Solved My computer was hit by unknown malware
2
Replies
30
Views
11K
Broni
Broni
P
  • Locked
Inactive Laptop shutting down before scan complete (logs inside)
Replies
2
Views
2K
Broni
Broni
N
Solved Computer runs at high CPU and overheats.
2
Replies
31
Views
5K
Broni
Broni

Latest posts

Back