Solved Chrome and IE search page links redirect

[Bobbye]

You're welcome. I don't know what turned System Restore off. Possibly it was not turned on? But when it gets turned off, it drops all the old restore points.

Some instructions in malware cleaning tell users to turn off SR. We don't do that. Sometimes a system will get so corrupted that the only way back in is System Restore

 

[snoobler]

You're welcome. I don't know what turned System Restore off. Possibly it was not turned on? But when it gets turned off, it drops all the old restore points.

Some instructions in malware cleaning tell users to turn off SR. We don't do that. Sometimes a system will get so corrupted that the only way back in is System Restore

That brings up another concern that we went back-and-forth on. I can assure you that system restore was enabled, and you even posted the listed restore points here:

https://www.techspot.com/vb/post1011061-16.html

This begs the question, what turned it off? I can promise you that I didn't. Either one of your recommended tools did, or some other process did so. This leads me to believe that something might still be amiss. I have created a new restore point per your recommendation, and I have confirmed it is still there at this very moment. My computer appears to be operating properly, but this system restore issue gives me pause. If you're confident all is well, I offer my deepest gratitude and appreciate all your efforts!!!!

 

[Bobbye]

I cannot tell you why the System Restore was turned off. The computer has not been in my hands. I can tell you that when SR is turned off, the existing restore points are dropped.
The following are the restore point on the system in the first log:

RP1: 2/24/2011 9:43:15 PM - System Checkpoint
RP2: 2/25/2011 7:01:25 AM - Installed HiJackThis
RP3: 2/26/2011 8:34:02 AM - Restore Operation
RP4: 2/26/2011 8:48:57 AM - Restore Operation

Note please that 2 restores were done, using 2 restore points. So they are no longer available. The only other 2 showing is 1 set by the system and the other upon the HJT install. So you really didn't have many in the first place.
==========================================
I have also pointed out your use of 2 file sharing programs> uTorrent and LimeWire and documentation on why you should uninstall them and what potential dangers are. There are also 2 globally open ports for uTorrent . 'Global' means that any account that signs on has use of the. Although I wrote script to remove them, they remain open.
"8181:TCP"= 8181:TCP:utorrent webui
"8181:UDP"= 8181:UDP:utorrent webui
=========================================
You did a lot of scans on your own- including prior run of Combofix. I am not responsible for any actions the scan or you took on the results. You did the following which was a wrong thing to do because the infected or corrupt file remained in the system. I later replaced it correctly.

A prior run of Combofix (before posting on the site) indicated issues with explorer.exe and winlogon.exe. I obtained copies from my wife's computer and placed them in the same folders with the .ex_ extension.

===========================================
If you are uncomfortable, run DeFoggger and one more Combofix scan. Although it is possible that something new can show up, based on what I see in the logs and your descriptions, I have no reason to think the system is still infected.
==========================================

 

[snoobler]

The only remaining mystery is why my system restore was off. I am 99.9% confident that it was on before the infection, but when I looked to restore once I noticed the infection, system restore was on, but no restore points were listed. Listed restore points you have seen were created AFTER the first sign of infection. The drive is configured to permit 44GB of use by system restore.

As you may recall, from my initial post, "logs supplied are POST restore," so I would expect that my prior efforts were "erased," and you were just dealing with the log "snapshot" moving forward. While it wasn't in your hands, I can assure you that no human being turned off system restore, and from your prior posts, I interpreted your position that malware can't disable system restore. If malware can't disable it, and I haven't turned it off, then I'm just looking for a reason.

Combofix seems to attempt to create its own restore points, so again, I would expect to see evidence unless the /uninstall process removed them.

The system restore point you directed me to make is still present and two additional system checkpoints have been automatically created. There have been several reboots since the user initiated system restore point.

I realize it's not your job to educate me, and I'm really not trying to be a pain. I hate an unsolved mystery, and I hope you don't take any of this as a challenge to your expertise. With the exception of the deactivated system restore, it appears that all issues have been resolved and my PC is performing as expected. I am VERY grateful!

Concerning Limewire, it is not used, and it hasn't been for quite some time (years?). I will uninstall it.

Concerning uTorrent, I understand the risks, and access to the web interface is protected by a reasonably strong password.

I will run Combofix one last time and post the log. If you say it's clean, I'll be on my way singing your praises to all within earshot!

 

[Bobbye]

There have been several reboots since the user initiated system restore point.

"The user?" Not "I"?

 

[snoobler]

LOL... oh how important grammar and punctuation can be... I should have used a hyphen, i.e., "user-initiated" as I meant to differentiate it separately from the automatic restore points.

To be very clear, this is my personal PC, and with the very rare exception of my wife (because a kid is on hers) and my mother's (because she doesn't have her own printer) occasional usage, it's all mine, and I'm quite protective of it!

Though I can clearly screw it up on my own... :-(

Since my last post, I have uninstalled Limewire. According to add/remove programs, it's last use was in 8/2008.

Combofix ran normally and successfully restarted the computer on its own. All of today's activities have been accomplished successfully via remote desktop (where you can see that from the logs - just realized that)...

Two last questions:
1) Does Combofix change the "hide extensions for known filetypes" option? After Combofix ran and rebooted, my extensions where gone. I have changed the setting, and they are back.
2) Is this a good time to implement MVPS Host file?

Thanks again!

Log attached:

=============================================================

ComboFix 11-03-07.02 - Steve 03/07/2011 13:34:03.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1458 [GMT -7:00]
Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\windows\system32\LogFiles
h:\windows\system32\LogFiles\HTTPERR\httperr1.log
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Common Files\Java
2011-03-01 03:39 . 2011-03-01 03:39 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-03-01 03:39 . 2011-03-01 03:39 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Java
2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------
.
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
"Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
"EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
"Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
"AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
"avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
"SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=h:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 -c----r- h:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LVPrcSrv"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\AboutTime\\AboutTime.exe"=
"e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\eve\\bin\\ExeFile.exe"=
"h:\\Program Files\\DAP\\DAP.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
"h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"8181:TCP"= 8181:TCP:utorrent webui
"8181:UDP"= 8181:UDP:utorrent webui
.
R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
S2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]
.
2011-03-04 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
2011-03-04 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
2011-03-07 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: intuit.com\ttlc
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ATI Launchpad - h:\program files\ATI Multimedia\main\launchpd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 13:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1460)
h:\program files\SUPERAntiSpyware\SASWINLO.DLL
h:\windows\system32\WININET.dll
h:\windows\system32\Ati2evxx.dll
h:\windows\system32\atiadlxx.dll
h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'winlogon.exe'(3008)
h:\program files\SUPERAntiSpyware\SASWINLO.DLL
h:\windows\system32\WININET.dll
h:\windows\system32\Ati2evxx.dll
h:\windows\system32\atiadlxx.dll
h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2011-03-07 13:52:46
ComboFix-quarantined-files.txt 2011-03-07 20:52
.
Pre-Run: 202,861,846,528 bytes free
Post-Run: 202,855,030,784 bytes free
.
- - End Of File - - DFC9DDF9E9FECBF1D40496707A0554C8

 

[Bobbye]

Let's not continue the round of "I absolutely know without a douby that no on has changed a setting" regarding System restore. With 2 other users, you cannot attest to that.

Go ahead and install the Host files.

It would appear that you are having intermittent system problems. I recommend you run chkdsk with both functions checked> fix and scan- reboot and let it run.

As long as you allow the Globally Open posts and engage in file sharing, I am not responsible for changes on the system. It appears that you are not removing programs that are no longer used- to wit> LimeWire hadn't been used since 2008.
=======================================
Only someone who has remote access and can literally see some of the settings you are questing me about as well as note the system in toto, can even attempt to gives answers.
==============================================
I think I have brought this to your attention a couple of times:
Date????
2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft

This indicates some kind ot time and date problem. If that is not correct, many parts of the system will malfunction.
Consider removing "e:\\Program Files\\AboutTime\\AboutTime.exe"
A very accurate Internet time server/client. It is a free time setting software which downloads the correct time and sets the time periodically
You can set this yourself and perhaps it will be more accurate.
=================================
Update the Adobe Reader please: Visit this Adobe Reader Uninstall any earlier updates as they are vulnerabilities.
===================================
I would be cautious about this:
Fomine WinPopup is an instant-messaging tool for all versions of the Windows.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe

 

[snoobler]

I should just shut my mouth about this as your attitude is pretty clear. I can guarantee you that no one has physically touched my system within the last two weeks. Period. So I KNOW without a doubt, NO human being sitting at my desk turned off system restore. Maybe someone has compromised my remote access, maybe someone has found a way in through uTorrent webui (even though it's behind the router firewall with no port forwarding - only ports 22 and 3389 are open for the obvious reasons). My file sharing activities are very restricted - AVI files of broadcast TV shows from a limited access site. It seems to me far more likely that one of the pieces of malware or one of the cleaning tools is the culprit. I'm just trying to learn - not be a pain.

Feel free to ignore everything above this comment.

I will install the host files.

I run chkdsk /r about once a month. I will do so again.

Only someone who has remote access and can literally see some of the settings you are questing me about as well as note the system in toto, can even attempt to gives answers.

I have no idea what you're getting at, but it sounds snarky.

Those date issues were me trying to fool evaluation software with a trial period and then forgetting to clean it up. I no longer use them and will uninstall them. I have used AboutTime for many years. I only run it periodically if I need an immediate update. I have WinXP set to autosync with time.windows.com.

I have used Fomine Winpopup for about 7 years. I would expect that any vulnerabilities would be tied to flaws in the windows messenger service, and I only run it manually when I need it (maybe 0.01% of the time).

I will update the Adobe Reader.

Three last questions (2 new, 1 unanswered)
1) Does Combofix change the "hide extensions for known filetypes" option?
2) Is the Combofix log clean?
3) What intermittent system problems? System restore?

Thanks again!

 

[Bobbye]

Remote Assistance: allows an expert to connect to a novice's computer and correct any problems directly. It includes the main scenarios used to initiate Remote Assistance sessions.

Only someone who has remote access and can literally see some of the settings you are questing me about as well as note the system in toto, can even attempt to gives answers.

I have no idea what you're getting at, but it sounds snarky.

There is nothing "snarky" about it> it's what is done when you get paid remote computer help online.

Remote Desktop:Access the files on your work computer from home or on the road with remote desktop in Windows XP Professional.

All of today's activities have been accomplished successfully via remote desktop (where you can see that from the logs - just realized that)...

=============================================

1) Does Combofix change the "hide extensions for known filetypes" option?

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

2) Is the Combofix log clean?

Yes. Concern is still these dates. But that does not mean malware:

2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft

3) What intermittent system problems? System restore?
Non-specific.
=============================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin