Jump to content

Recommended Posts

Hi,

I used the instructions from Bleeping Computer to remove Zentom System Guard, but now I can't access the internet. At first I got an error message that the ICS/(something or other) was missing, but now it just says I'm offline. I'm having to use another machine for this. Since that one is not on the internet I've disabled the AV stuff and the firewall to reduce the chances of interference. Here is the DDS report. Any help will be greatly appreciated, Thanks.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 16:32:42 on 2011-11-29

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1223 [GMT -6:00]

.

AV: COMODO Antivirus *Disabled/Outdated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: COMODO Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Page = c:\dealers\AAAASteveN.mdb

uWindow Title =

uInternet Connection Wizard,ShellNext = iexplore

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-explorer: NoSMMyDocs = 01000000

uPolicies-explorer: NoSMMyPictures = 01000000

uPolicies-explorer: NoRecentDocsNetHood = 01000000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\kybfn0ej.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-10-7 18056]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-10-7 492768]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-10-7 31704]

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/08/19 16:06:55];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]

S1 MpKsl26e9fd02;MpKsl26e9fd02;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4eb15357-908e-4d73-8342-d614637712db}\mpksl26e9fd02.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4eb15357-908e-4d73-8342-d614637712db}\MpKsl26e9fd02.sys [?]

S1 MpKsl43c68d5d;MpKsl43c68d5d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\mpksl43c68d5d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\MpKsl43c68d5d.sys [?]

S1 MpKsl99fa371a;MpKsl99fa371a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0720d13b-a366-40e1-a227-9aee34f67a2a}\mpksl99fa371a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0720d13b-a366-40e1-a227-9aee34f67a2a}\MpKsl99fa371a.sys [?]

S1 MpKslc07ae0a5;MpKslc07ae0a5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\mpkslc07ae0a5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\MpKslc07ae0a5.sys [?]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-25 22712]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?]

S4 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-25 154424]

S4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-10-7 1883328]

S4 MBAMService;MBAMService;c:\utilities\malwarebytes' anti-malware\mbamservice.exe [2010-8-25 366640]

.

=============== Created Last 30 ================

.

2011-11-27 19:12:22 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2011-11-27 19:12:22 -------- d-----w- c:\program files\Belarc

2011-11-06 10:37:26 -------- d-----w- c:\documents and settings\owner\local settings\application data\COMODO

2011-11-05 23:26:12 -------- d-----w- c:\documents and settings\owner\local settings\application data\Threat Expert

2011-11-05 21:56:59 -------- d--h--w- C:\VritualRoot

2011-11-05 16:41:38 257744 ----a-w- c:\windows\system32\drivers\sfi.dat

2011-11-05 16:38:16 -------- d-----w- c:\documents and settings\all users\application data\Comodo

2011-11-05 16:38:10 -------- d-----w- c:\program files\COMODO

2011-11-05 16:38:09 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-11-05 16:38:09 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-11-05 16:36:39 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader

2011-11-01 01:41:15 -------- d-----w- c:\program files\UPHClean

.

==================== Find3M ====================

.

2011-10-26 00:57:40 41680 ----a-w- c:\windows\system32\drivers\hcowlqdp.sys

2011-10-07 23:48:02 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-10-07 23:48:02 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-10-07 23:48:00 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-10-07 23:47:12 33984 ----a-w- c:\windows\system32\cmdcsr.dll

2011-10-07 23:47:12 300200 ----a-w- c:\windows\system32\guard32.dll

2011-09-26 16:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 15:33:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 16:33:21.43 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Hi,

Thanks for the response. Sorry about the delay, but as I don't have internet access I'm having to do my downloads, updates and copying/pasting with the old laptop and with a flash drive. It's kinda slow.

Anyway, here's the MBAM report followed by the combofix report. When Combofix requested to load the recovery console I had to tell it "no" because I don't have access to the internet. Combofix ran twice and between runs it reported that it had found that "Rootkit.ZeroAccess" had inserted itself in the TCP/IP stack.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/3/2011 10:12:37 PM

mbam-log-2011-12-03 (22-12-37).txt

Scan type: Quick scan

Objects scanned: 161893

Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---------------------------------------------------------------------------------

ComboFix 11-12-03.01 - Owner 12/03/2011 22:29:23.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1246 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: COMODO Antivirus *Disabled/Outdated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

* Created a new restore point

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Owner\Application Data\Adobe\plugs

c:\documents and settings\Owner\Application Data\Adobe\shed

c:\documents and settings\Owner\Desktop\Security Center.lnk

c:\documents and settings\Owner\My Documents\Zipkey32.INI

c:\documents and settings\Owner\WINDOWS

c:\windows\$NtUninstallKB37185$

c:\windows\$NtUninstallKB37185$\1865675954

c:\windows\$NtUninstallKB37185$\598913779\@

c:\windows\$NtUninstallKB37185$\598913779\bckfg.tmp

c:\windows\$NtUninstallKB37185$\598913779\cfg.ini

c:\windows\$NtUninstallKB37185$\598913779\Desktop.ini

c:\windows\$NtUninstallKB37185$\598913779\keywords

c:\windows\$NtUninstallKB37185$\598913779\kwrd.dll

c:\windows\$NtUninstallKB37185$\598913779\L\legnalvn

c:\windows\$NtUninstallKB37185$\598913779\U\00000001.@

c:\windows\$NtUninstallKB37185$\598913779\U\00000002.@

c:\windows\$NtUninstallKB37185$\598913779\U\00000004.@

c:\windows\$NtUninstallKB37185$\598913779\U\80000000.@

c:\windows\$NtUninstallKB37185$\598913779\U\80000004.@

c:\windows\$NtUninstallKB37185$\598913779\U\80000032.@

c:\windows\EventSystem.log

c:\windows\system32\default_user_class.dat.LOG

.

.

((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))

.

.

2011-12-04 04:02 . 2011-12-04 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-04 04:02 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-27 19:12 . 2011-11-27 19:12 -------- d-----w- c:\program files\Belarc

2011-11-27 19:12 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2011-11-06 10:37 . 2011-11-06 10:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\COMODO

2011-11-05 23:26 . 2011-11-05 23:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2011-11-05 21:56 . 2011-11-05 21:56 -------- d-----w- C:\VritualRoot

2011-11-05 16:42 . 2011-11-05 16:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-11-05 16:41 . 2011-11-29 21:29 257744 ----a-w- c:\windows\system32\drivers\sfi.dat

2011-11-05 16:38 . 2011-11-05 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2011-11-05 16:38 . 2011-11-05 16:38 -------- d-----w- c:\program files\COMODO

2011-11-05 16:38 . 2011-11-05 16:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-11-05 16:38 . 2011-11-05 16:38 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-11-05 16:36 . 2011-11-05 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-26 00:57 . 2011-10-26 00:57 41680 ----a-w- c:\windows\system32\drivers\hcowlqdp.sys

2011-10-07 23:48 . 2011-10-07 23:48 97760 ----a-w- c:\windows\system32\drivers\inspect.sys

2011-10-07 23:48 . 2011-10-07 23:48 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-10-07 23:48 . 2011-10-07 23:48 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-10-07 23:48 . 2011-10-07 23:48 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-10-07 23:47 . 2011-10-07 23:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll

2011-10-07 23:47 . 2011-10-07 23:47 300200 ----a-w- c:\windows\system32\guard32.dll

2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2004-08-04 02:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2004-08-04 02:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 15:33 . 2011-09-26 15:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12 . 2008-04-14 00:41 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2010-03-20 06:22 1858944 ----a-w- c:\windows\system32\win32k.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-08-09 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-29 7618560]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-29 86016]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoRecentDocsNetHood"= 01000000

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^cscbridgeobj.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\cscbridgeobj.exe

backup=c:\windows\pss\cscbridgeobj.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winadslcenter.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\winadslcenter.exe

backup=c:\windows\pss\winadslcenter.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Zipkey check for hotkey.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Zipkey check for hotkey.LNK

backup=c:\windows\pss\Zipkey check for hotkey.LNKCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]

2002-09-24 21:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]

2011-05-26 03:43 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]

2011-10-20 17:58 2497352 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]

2011-05-26 03:43 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

2002-07-16 15:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

2009-11-11 22:23 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]

2002-08-13 19:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Schedule"=2 (0x2)

"UPS"=3 (0x3)

"ERSvc"=2 (0x2)

"ProtectedStorage"=2 (0x2)

"MBAMService"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"CLPSLS"=2 (0x2)

"cmdAgent"=2 (0x2)

"BITS"=2 (0x2)

"wuauserv"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Utilities\\WinRescue XP\\RescueXP.exe"=

.

R1 MpKsl26e9fd02;MpKsl26e9fd02;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys [x]

R1 MpKsl43c68d5d;MpKsl43c68d5d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys [x]

R1 MpKsl99fa371a;MpKsl99fa371a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys [x]

R1 MpKslc07ae0a5;MpKslc07ae0a5;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys [x]

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/08/19 16:06];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-03-13 17:58 87536]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]

R4 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-05-26 154424]

S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2011-10-07 18056]

S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-10-07 492768]

S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-10-07 31704]

.

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kybfn0ej.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

MSConfigStartUp-Malwarebytes' Anti-Malware - c:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe

MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-03 22:35

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwClose

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(476)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'csrss.exe'(376)

c:\windows\system32\cmdcsr.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-12-03 22:36:45 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-04 04:36

.

Pre-Run: 48,003,260,416 bytes free

Post-Run: 48,339,980,288 bytes free

.

- - End Of File - - E1BD641D4DC9FBE9DE9615AF1BDE7902

Let me know what to do next.

Thanks again, Mike

Link to post
Share on other sites

  • Staff

Hi,

I notice that you are using more than one antivirus program (Comodo and Microsoft). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please download this file and save it as it's originally named, next to ComboFix.exe.

RC1-4.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.

-screen317

Link to post
Share on other sites

Hi, Per your instructions I uninstalled Comodo. Here is the new Combofix log. I cannot get the current copy of Combofix.exe because it appears that the Bleeping Computer website is down. Therefore Combofix reported that it would run in a reduced function state.

I followed your instructions, but it did not ask me to install the Recovery Console. It appears that it is already installed. Also, I ran DDS.exe afterwards and the Attach log shows that a file named "Ipsec" is missing or cannot be found. I don't know whether this will be of any assistance to you or not. Just reporting.

ComboFix 11-12-03.01 - Owner 12/12/2011 14:55:49.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.994 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

* Created a new restore point

.

- REDUCED FUNCTIONALITY MODE -

.

.

((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))

.

.

2011-12-04 04:02 . 2011-12-04 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-04 04:02 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-27 19:12 . 2011-11-27 19:12 -------- d-----w- c:\program files\Belarc

2011-11-27 19:12 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-05 16:38 . 2011-11-05 16:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-11-05 16:38 . 2011-11-05 16:38 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-10-26 00:57 . 2011-10-26 00:57 41680 ----a-w- c:\windows\system32\drivers\hcowlqdp.sys

2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2004-08-04 02:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2004-08-04 02:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 15:33 . 2011-09-26 15:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-08-09 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-29 7618560]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-29 86016]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoRecentDocsNetHood"= 01000000

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^cscbridgeobj.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\cscbridgeobj.exe

backup=c:\windows\pss\cscbridgeobj.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winadslcenter.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\winadslcenter.exe

backup=c:\windows\pss\winadslcenter.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Zipkey check for hotkey.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Zipkey check for hotkey.LNK

backup=c:\windows\pss\Zipkey check for hotkey.LNKCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]

2002-09-24 21:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

2002-07-16 15:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

2009-11-11 22:23 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]

2002-08-13 19:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Schedule"=2 (0x2)

"UPS"=3 (0x3)

"ERSvc"=2 (0x2)

"ProtectedStorage"=2 (0x2)

"MBAMService"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"CLPSLS"=2 (0x2)

"cmdAgent"=2 (0x2)

"BITS"=2 (0x2)

"wuauserv"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Utilities\\WinRescue XP\\RescueXP.exe"=

.

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/08/19 16:06];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [3/13/2010 11:58 AM 87536]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2011 10:02 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2011 10:02 PM 22216]

S1 MpKsl26e9fd02;MpKsl26e9fd02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys [?]

S1 MpKsl43c68d5d;MpKsl43c68d5d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys [?]

S1 MpKsl99fa371a;MpKsl99fa371a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys [?]

S1 MpKslc07ae0a5;MpKslc07ae0a5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kybfn0ej.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-CisPostUninstall - c:\docume~1\Owner\LOCALS~1\Temp\cis16.exe

MSConfigStartUp-COMODO - c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe

MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe

MSConfigStartUp-CPA - c:\program files\COMODO\COMODO GeekBuddy\VALA.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-12 14:56

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(160)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2011-12-12 14:58:12

ComboFix-quarantined-files.txt 2011-12-12 20:58

ComboFix2.txt 2011-12-05 19:01

ComboFix3.txt 2011-12-04 04:36

.

Pre-Run: 48,558,071,808 bytes free

Post-Run: 48,548,384,768 bytes free

.

- - End Of File - - 53C154765E2870ADEE996702A759D66E

Thanks again for your time.

Link to post
Share on other sites

Hi again, I was finally able to download a fresh copy of Combofix and ran it as you specified. As before, it appears that the Recovery Console is already installed. but this time it didnot indicate it was running in a reduced functionality mode. Thanks again for your time.

Here is the log:

ComboFix 11-12-12.02 - Owner 12/12/2011 16:03:16.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1093 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

.

((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))

.

.

2011-12-04 04:02 . 2011-12-04 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-04 04:02 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-27 19:12 . 2011-11-27 19:12 -------- d-----w- c:\program files\Belarc

2011-11-27 19:12 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-05 16:38 . 2011-11-05 16:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-11-05 16:38 . 2011-11-05 16:38 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-10-26 00:57 . 2011-10-26 00:57 41680 ----a-w- c:\windows\system32\drivers\hcowlqdp.sys

2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2004-08-04 02:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2004-08-04 02:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 15:33 . 2011-09-26 15:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-08-09 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-29 7618560]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-29 86016]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoRecentDocsNetHood"= 01000000

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^cscbridgeobj.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\cscbridgeobj.exe

backup=c:\windows\pss\cscbridgeobj.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winadslcenter.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\winadslcenter.exe

backup=c:\windows\pss\winadslcenter.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Zipkey check for hotkey.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Zipkey check for hotkey.LNK

backup=c:\windows\pss\Zipkey check for hotkey.LNKCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]

2002-09-24 21:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

2002-07-16 15:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

2009-11-11 22:23 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]

2002-08-13 19:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Schedule"=2 (0x2)

"UPS"=3 (0x3)

"ERSvc"=2 (0x2)

"ProtectedStorage"=2 (0x2)

"MBAMService"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"CLPSLS"=2 (0x2)

"cmdAgent"=2 (0x2)

"BITS"=2 (0x2)

"wuauserv"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Utilities\\WinRescue XP\\RescueXP.exe"=

.

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/08/19 16:06];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [3/13/2010 11:58 AM 87536]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2011 10:02 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2011 10:02 PM 22216]

S1 MpKsl26e9fd02;MpKsl26e9fd02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys [?]

S1 MpKsl43c68d5d;MpKsl43c68d5d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys [?]

S1 MpKsl99fa371a;MpKsl99fa371a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys [?]

S1 MpKslc07ae0a5;MpKslc07ae0a5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kybfn0ej.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-12 16:05

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2036)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

Completion time: 2011-12-12 16:07:21

ComboFix-quarantined-files.txt 2011-12-12 22:07

ComboFix2.txt 2011-12-12 20:58

ComboFix3.txt 2011-12-05 19:01

ComboFix4.txt 2011-12-04 04:36

.

Pre-Run: 48,548,167,680 bytes free

Post-Run: 48,538,583,040 bytes free

.

- - End Of File - - 44A137F374FB8DE51BDC3CD4516DB113

Link to post
Share on other sites

  • Staff

Hi,

I apologize for the delay.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    sfcfiles.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Hi, here's the results of SystemLook:

SystemLook 30.07.11 by jpshortstuff

Log created at 15:46 on 19/12/2011 by Owner

Administrator - Elevation successful

========== filefind ==========

Searching for "sfcfiles.dll"

C:\pebuilder313\BartPE\i386\system32\sfcfiles.dll --a---- 1614848 bytes [22:13 02/07/2011] [10:42 14/04/2008] 9DD07AF82244867CA36681EA2D29CE79

C:\WINDOWS\system32\sfcfiles.dll --a---- 1614848 bytes [12:37 09/08/2010] [12:37 09/08/2010] 362BC5AF8EAF712832C58CC13AE05750

-= EOF =-

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Hi Chris,

I'm still unable to get online (to run the eset routine). Also, I still can't get the Windows firewall to turn on (using the Security Center. Is there another way?). However, I am able to get the Comodo firewall on. My MS Security Essentials has apparently been erased, deleted, whatever. Anyway it's gone, thats why I installed Comodo. The only MSSEC files remaining are the setup .log files (6).

Attempting to start the Windows firewall causes Windows to report it "cannot start Windows Firewall/ICS service". However, the services.msc and msconfig (which I can now access) both show that the Firewall/ICS service is running.

When running Network Diagnostics (after failing to get online) the diagnostic log reports it "could not perform a simple loopback communication".

I did run your Security Check.

Mike

------------------------------------------------

Results of screen317's Security Check version 0.99.30

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Avira NTFS4DOS 1.9

COMODO Internet Security

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

A1Click Ultra PC Cleaner 1.01 (Registered Version)

RegVac Registry Cleaner 5.02 (Registered Version)

Java 6 Update 21

Java version out of date!

Mozilla Firefox (3.6.8) Firefox out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Comodo Firewall cmdagent.exe

Comodo Firewall cfp.exe

``````````End of Log````````````

Link to post
Share on other sites

Hi,

Grab a fresh copy of ComboFix, run it, and post its log. It should restore your Internet now.

Hi Chris

Here's the combofix log. You were right, it has restored my internet connection!! I haven't tested everything yet, but it seems like it's working properly. Next, I'm going to try to get the Windows Firewall turned back on and re-install MS Security Essentials. I've already updated MBAM. Should I again try to run the ESet On-line Scanner?

In your opinion, do you think it's safe to use this machine on the internet or do you think there's a possibility that it may still try to "call home" with private info?

I noticed that during the fix it reported that it had deleted \Desktop\Security Center.lnk. Was this the culprit? Could you give me a short explanation about how it did the fix? Was there a particular file it looked for? Did it rebuild the MBR? Or what? I sure would like to know. Thanks, Mike

-------------------------------------------------------------

ComboFix 11-12-28.03 - Owner 12/28/2011 13:02:53.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1105 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: COMODO Antivirus *Disabled/Outdated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner\Desktop\Security Center.lnk

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))

.

.

2011-12-23 18:46 . 2011-12-23 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2011-12-23 18:46 . 2011-12-23 19:08 -------- d-----w- c:\program files\COMODO

2011-12-23 18:46 . 2011-12-23 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader

2011-12-20 23:15 . 2011-12-20 23:18 -------- d-----w- c:\windows\NV12601528.TMP

2011-12-20 23:14 . 2003-11-11 00:10 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll

2011-12-20 23:14 . 2003-11-11 00:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll

2011-12-20 23:14 . 2003-11-11 00:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll

2011-12-20 23:14 . 2003-11-11 00:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll

2011-12-20 23:14 . 2003-11-11 00:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll

2011-12-20 23:14 . 2003-11-11 00:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe

2011-12-20 23:14 . 2011-12-20 23:14 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll

2011-12-20 23:14 . 2011-12-20 23:14 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll

2011-12-20 22:44 . 2011-12-20 22:46 -------- d-----w- c:\windows\NV14041528.TMP

2011-12-20 21:48 . 2008-07-24 06:45 446464 ----a-w- c:\windows\system32\nvudisp.exe

2011-12-20 21:48 . 2008-07-24 06:45 446464 ----a-r- c:\windows\system32\nvuninst.exe

2011-12-20 21:40 . 2011-12-20 23:18 -------- d-----w- c:\windows\nview

2011-12-19 22:08 . 2011-12-19 22:08 -------- d-----w- C:\Lanfire

2011-12-12 23:47 . 2011-12-12 23:47 -------- d-----w- c:\program files\Support Tools

2011-12-12 22:32 . 2008-04-14 06:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-12-12 22:32 . 2008-04-14 06:49 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys

2011-12-04 04:02 . 2011-12-04 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-04 04:02 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-05 16:38 . 2011-11-05 16:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-11-05 16:38 . 2011-11-05 16:38 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-10-26 00:57 . 2011-10-26 00:57 41680 ----a-w- c:\windows\system32\drivers\hcowlqdp.sys

2011-10-08 00:48 . 2011-10-08 00:48 97760 ----a-w- c:\windows\system32\drivers\inspect.sys

2011-10-08 00:48 . 2011-10-08 00:48 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-10-08 00:48 . 2011-10-08 00:48 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-10-08 00:48 . 2011-10-08 00:48 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-10-08 00:47 . 2011-10-08 00:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll

2011-10-08 00:47 . 2011-10-08 00:47 300200 ----a-w- c:\windows\system32\guard32.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-08-09 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot_2011-12-20_23.36.01 )))))))))))))))))))))))))))))))))))))))))

.

- 2011-11-05 16:42 . 2011-11-29 21:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2011-11-05 16:42 . 2011-12-23 18:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2011-11-05 16:42 . 2011-11-29 21:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-11-05 16:42 . 2011-12-23 18:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2011-11-05 16:42 . 2011-11-05 16:42 22384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

+ 2011-11-05 16:42 . 2011-12-23 18:49 22384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

- 2011-11-05 16:42 . 2011-11-29 21:19 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2011-11-05 16:42 . 2011-12-23 18:54 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2011-12-23 18:49 . 2011-12-23 18:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2011-11-05 16:41 . 2011-12-28 19:07 275024 c:\windows\system32\drivers\sfi.dat

+ 2011-12-23 18:47 . 2011-12-23 18:47 8685568 c:\windows\Installer\159b34.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-24 13529088]

"nwiz"="nwiz.exe" [2008-07-24 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-24 86016]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoRecentDocsNetHood"= 01000000

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^cscbridgeobj.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\cscbridgeobj.exe

backup=c:\windows\pss\cscbridgeobj.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winadslcenter.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\winadslcenter.exe

backup=c:\windows\pss\winadslcenter.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Zipkey check for hotkey.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Zipkey check for hotkey.LNK

backup=c:\windows\pss\Zipkey check for hotkey.LNKCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]

2002-09-24 21:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

2002-07-16 15:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

2009-11-11 22:23 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]

2002-08-13 19:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Schedule"=2 (0x2)

"UPS"=3 (0x3)

"ERSvc"=2 (0x2)

"ProtectedStorage"=2 (0x2)

"MBAMService"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"CLPSLS"=2 (0x2)

"cmdAgent"=2 (0x2)

"BITS"=2 (0x2)

"wuauserv"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Utilities\\WinRescue XP\\RescueXP.exe"=

.

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [10/7/2011 6:48 PM 18056]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 6:48 PM 492768]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 6:48 PM 31704]

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/08/19 16:06];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [3/13/2010 11:58 AM 87536]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2011 10:02 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2011 10:02 PM 22216]

S1 MpKsl26e9fd02;MpKsl26e9fd02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys [?]

S1 MpKsl43c68d5d;MpKsl43c68d5d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys [?]

S1 MpKsl99fa371a;MpKsl99fa371a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys [?]

S1 MpKslc07ae0a5;MpKslc07ae0a5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kybfn0ej.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-28 13:08

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwClose

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(580)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'explorer.exe'(3104)

c:\windows\system32\WININET.dll

c:\windows\system32\guard32.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

- - - - - - - > 'csrss.exe'(492)

c:\windows\system32\cmdcsr.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\COMODO\COMODO Internet Security\cmdagent.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Completion time: 2011-12-28 13:12:34 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-28 19:12

ComboFix2.txt 2011-12-20 23:37

ComboFix3.txt 2011-12-12 22:07

ComboFix4.txt 2011-12-12 20:58

ComboFix5.txt 2011-12-28 19:01

.

Pre-Run: 47,746,662,400 bytes free

Post-Run: 48,013,885,440 bytes free

.

- - End Of File - - B7CE006380CBC5416C8E3BD319C2F171

Link to post
Share on other sites

  • Staff

Hi,

Yes try the ESET scan once more.

The inner workings of ComboFix are not available for the public I'm afraid. The deleted file, albeit a shortcut, was a part of the mess you had. The important part is that your connection is restored and the infection has been neutralized.

You still have Comodo and Microsoft installed. Which one do you want to keep? If you are using Comodo as a firewall, then be sure to disable its antivirus component.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

FCOPY::
C:\pebuilder313\BartPE\i386\system32\sfcfiles.dll | C:\WINDOWS\system32\sfcfiles.dll

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hi,

Yes try the ESET scan once more.

The inner workings of ComboFix are not available for the public I'm afraid. The deleted file, albeit a shortcut, was a part of the mess you had. The important part is that your connection is restored and the infection has been neutralized.

You still have Comodo and Microsoft installed. Which one do you want to keep? If you are using Comodo as a firewall, then be sure to disable its antivirus component.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

FCOPY::
C:\pebuilder313\BartPE\i386\system32\sfcfiles.dll | C:\WINDOWS\system32\sfcfiles.dll

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Here's the eset scanner log. I'll send the others as quick as I get them.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=7e772b09119be04e9e1b45eb6d5dca8f

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-01-02 11:23:06

# local_time=2012-01-02 05:23:06 (-0600, Central Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1792 16777215 100 0 11675487 11675487 0 0

# compatibility_mode=3073 16777173 80 71 0 1032806 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=44268

# found=0

# cleaned=0

# scan_time=2879

------------------------------------------------

Link to post
Share on other sites

Hi Screen317,

Thanks for your patience. Below are the Combofix log and the DDS log.

Also, I noticed that both logs report that MS Security Essentials is still installed. However, that's not correct. I uninstalled it before running the reports (permanently). I don't know where it's hiding, a search in Explorer doesn't find it (any ideas??). I'm planning on using Comodo on this machine, so I don't need MSSec.

The NVidia programs (reported as recently installed) are because I used a different hard drive and installed Win 7 on it while I was waiting. The problem was that my old video card didn't have drivers for Win 7 so I had to replace the card with one that had drivers for both XP and Win 7, then I swapped this drive back in so you could continue cleaning it.

Also, when I ran Combofix it sat for about 20 minutes with no activity (HD I/O light), then wanted to update itself, so I allowed it to do that. When finished it rebooted the machine. I then ran it again and it ran all the way through.

When I ran DDS.scr (a fresh copy), it stopped after about 10-15 seconds then cleared itself off the screen and nothing happened for about 30 minutes (no HD i/o activity), so I started it again with the same results. I finally rebooted the machine and DDS.scr ran just fine.

By the way, It may just be this editor, but I'm having a difficult time typing this report. It's jerky and very slow, and each time I press a key the cursor turns into an hourglass. And when I type the exclamation mark, the screen scrolls down one line. weird!

I hope this info is of some benefit. Let me know what to do next.

Thanks again, Mike

----------------------------------------------------------

ComboFix 12-01-02.02 - Owner 01/02/2012 17:58:38.7.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.905 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner\Desktop\Security Center.lnk

.

.

--------------- FCopy ---------------

.

c:\pebuilder313\BartPE\i386\system32\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))

.

.

2012-01-02 22:15 . 2012-01-02 22:15 -------- d-----w- c:\program files\ESET

2012-01-01 15:36 . 2012-01-01 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2012-01-01 15:12 . 2012-01-01 15:12 -------- d-----w- C:\VritualRoot

2011-12-30 18:52 . 2008-07-24 06:45 446464 ----a-w- c:\windows\system32\nvudisp.exe

2011-12-30 18:52 . 2008-07-24 06:45 446464 ----a-r- c:\windows\system32\nvuninst.exe

2011-12-30 06:34 . 2008-07-24 06:45 1703936 ----a-w- c:\windows\system32\nvwdmcpl.dll

2011-12-30 06:29 . 2011-12-30 18:52 -------- d-----w- c:\windows\nview

2011-12-30 05:44 . 2011-12-30 05:47 -------- d-----w- c:\windows\NV38842224.TMP

2011-12-30 04:20 . 2011-12-30 04:28 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-12-30 04:20 . 2011-12-30 04:28 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-12-30 04:20 . 2011-12-30 04:28 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-12-30 04:19 . 2011-12-30 04:28 -------- d-----w- c:\program files\NVIDIA Corporation

2011-12-30 03:25 . 2011-12-30 03:25 -------- d-----w- c:\windows\Temp548E5E15-390C-E344-0A26-337298CFC5FD-Signatures

2011-12-30 02:37 . 2011-12-30 02:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2011-12-30 01:45 . 2011-12-30 01:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics

2011-12-30 01:44 . 2011-12-30 01:44 -------- d-----w- c:\program files\Auslogics

2011-12-23 18:46 . 2011-12-23 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2011-12-23 18:46 . 2011-12-23 19:08 -------- d-----w- c:\program files\COMODO

2011-12-23 18:46 . 2011-12-23 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader

2011-12-20 23:15 . 2011-12-20 23:18 -------- d-----w- c:\windows\NV12601528.TMP

2011-12-20 23:14 . 2003-11-11 00:10 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll

2011-12-20 23:14 . 2003-11-11 00:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll

2011-12-20 23:14 . 2003-11-11 00:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll

2011-12-20 23:14 . 2003-11-11 00:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll

2011-12-20 23:14 . 2003-11-11 00:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll

2011-12-20 23:14 . 2003-11-11 00:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe

2011-12-20 23:14 . 2011-12-20 23:14 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll

2011-12-20 23:14 . 2011-12-20 23:14 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll

2011-12-20 22:44 . 2011-12-20 22:46 -------- d-----w- c:\windows\NV14041528.TMP

2011-12-19 22:08 . 2011-12-19 22:08 -------- d-----w- C:\Lanfire

2011-12-12 23:47 . 2011-12-12 23:47 -------- d-----w- c:\program files\Support Tools

2011-12-12 22:32 . 2008-04-14 06:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-12-12 22:32 . 2008-04-14 06:49 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys

2011-12-04 04:02 . 2011-12-04 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-04 04:02 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-01 23:49 . 2011-09-26 15:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-19 18:59 . 2011-10-08 00:48 97760 ----a-w- c:\windows\system32\drivers\inspect.sys

2011-12-19 18:59 . 2011-10-08 00:48 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-12-19 18:59 . 2011-10-08 00:48 494816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-12-19 18:59 . 2011-10-08 00:48 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-12-19 18:58 . 2011-10-08 00:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll

2011-12-19 18:58 . 2011-10-08 00:47 301224 ----a-w- c:\windows\system32\guard32.dll

2011-11-23 13:25 . 2010-03-20 06:22 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-05 16:38 . 2011-11-05 16:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-11-05 16:38 . 2011-11-05 16:38 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-11-04 19:20 . 2010-03-20 06:22 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2008-04-14 00:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 19:20 . 2008-04-14 00:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 11:23 . 2010-03-20 06:21 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2008-04-14 00:42 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2010-03-20 06:21 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-26 00:57 . 2011-10-26 00:57 41680 ----a-w- c:\windows\system32\drivers\hcowlqdp.sys

2011-10-25 13:37 . 2010-03-20 06:22 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2009-12-08 18:43 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13 . 2008-04-14 00:41 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2010-08-19 20:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-12-20_23.36.01 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-19 04:51 . 2011-04-19 04:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll

+ 2008-04-14 00:42 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe

- 2008-04-14 00:42 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe

+ 2011-12-30 18:51 . 2006-10-29 00:16 81920 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvwddi.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 86016 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvmctray.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 35840 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvcod.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 81920 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvwddi.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 86016 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvmctray.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 35840 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvcod.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 81920 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvwddi.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 86016 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvmctray.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 35840 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvcod.dll

- 2004-08-04 02:00 . 2011-11-06 09:18 50446 c:\windows\system32\perfc009.dat

+ 2004-08-04 02:00 . 2011-12-29 23:40 50446 c:\windows\system32\perfc009.dat

+ 2011-05-21 12:01 . 2011-05-21 12:01 61440 c:\windows\system32\OpenCL.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll

+ 2008-04-14 00:42 . 2011-11-04 19:20 66560 c:\windows\system32\mshtmled.dll

+ 2009-03-08 09:31 . 2011-11-04 19:20 55296 c:\windows\system32\msfeedsbs.dll

- 2009-03-08 09:31 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll

+ 2008-04-14 00:41 . 2011-11-04 19:20 25600 c:\windows\system32\jsproxy.dll

- 2008-04-14 00:41 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll

- 2010-08-19 21:12 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2010-08-19 21:12 . 2011-11-04 19:20 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2008-04-14 00:42 . 2011-11-04 19:20 66560 c:\windows\system32\dllcache\mshtmled.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll

+ 2010-08-19 21:12 . 2011-11-04 19:20 55296 c:\windows\system32\dllcache\msfeedsbs.dll

- 2010-08-19 21:12 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2008-04-14 00:41 . 2011-11-04 19:20 43520 c:\windows\system32\dllcache\licmgr10.dll

- 2008-04-14 00:41 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll

+ 2008-04-14 00:41 . 2011-11-04 19:20 25600 c:\windows\system32\dllcache\jsproxy.dll

- 2008-04-14 00:41 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2010-03-20 06:21 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll

- 2010-03-20 06:21 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll

+ 2011-11-05 16:42 . 2011-12-23 18:49 22384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

- 2011-11-05 16:42 . 2011-11-05 16:42 22384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

+ 2011-12-30 03:35 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcm90.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7\atl90.dll

+ 2008-04-14 00:42 . 2011-11-04 19:20 105984 c:\windows\system32\url.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 155715 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvsvc32.exe

+ 2011-12-30 18:51 . 2006-10-29 00:16 286720 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvnt4cpl.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 888832 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvmobls.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 462848 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvmccssr.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 188416 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvmccss.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 229376 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvmccs.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 581632 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvhwvid.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 196608 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvapi.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 155715 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvsvc32.exe

+ 2011-12-30 06:31 . 2006-10-29 00:16 286720 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvnt4cpl.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 888832 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvmobls.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 462848 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvmccssr.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 188416 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvmccss.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 229376 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvmccs.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 581632 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvhwvid.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 196608 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvapi.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 155715 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvsvc32.exe

+ 2011-12-30 05:44 . 2006-10-29 00:16 286720 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvnt4cpl.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 888832 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvmobls.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 462848 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvmccssr.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 188416 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvmccss.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 229376 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvmccs.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 581632 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvhwvid.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 196608 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvapi.dll

+ 2004-08-04 02:00 . 2011-12-29 23:40 335876 c:\windows\system32\perfh009.dat

- 2004-08-04 02:00 . 2011-11-06 09:18 335876 c:\windows\system32\perfh009.dat

+ 2008-04-14 00:42 . 2011-11-04 19:20 206848 c:\windows\system32\occache.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll

+ 2011-05-21 12:01 . 2011-05-21 12:01 865896 c:\windows\system32\nvgenco322090.dll

+ 2011-05-21 12:01 . 2011-05-21 12:01 899688 c:\windows\system32\nvdispco3220150.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll

+ 2008-04-14 00:42 . 2011-11-04 19:20 611840 c:\windows\system32\mstime.dll

+ 2009-03-08 09:32 . 2011-11-04 19:20 602112 c:\windows\system32\msfeeds.dll

- 2009-03-08 09:32 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll

+ 2012-01-01 23:17 . 2012-01-01 23:49 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe

+ 2012-01-01 23:17 . 2012-01-01 23:49 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll

- 2008-04-14 00:41 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll

+ 2008-04-14 00:41 . 2011-11-04 19:20 184320 c:\windows\system32\iepeers.dll

- 2008-04-14 00:41 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll

+ 2008-04-14 00:41 . 2011-11-04 19:20 387584 c:\windows\system32\iedkcs32.dll

+ 2008-04-14 00:42 . 2011-11-04 11:24 174080 c:\windows\system32\ie4uinit.exe

- 2008-04-14 00:42 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe

+ 2010-08-19 15:42 . 2011-12-30 03:39 135664 c:\windows\system32\FNTCACHE.DAT

- 2010-08-19 15:42 . 2011-12-20 22:52 135664 c:\windows\system32\FNTCACHE.DAT

+ 2010-03-20 06:22 . 2011-11-04 19:20 916992 c:\windows\system32\dllcache\wininet.dll

+ 2008-04-14 00:42 . 2011-11-04 19:20 105984 c:\windows\system32\dllcache\url.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll

+ 2008-04-14 00:42 . 2011-11-04 19:20 206848 c:\windows\system32\dllcache\occache.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll

- 2008-04-14 00:42 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll

+ 2008-04-14 00:42 . 2011-11-04 19:20 611840 c:\windows\system32\dllcache\mstime.dll

+ 2010-08-19 21:12 . 2011-11-04 19:20 602112 c:\windows\system32\dllcache\msfeeds.dll

- 2010-08-19 21:12 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll

- 2010-08-19 20:50 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll

+ 2010-08-19 20:50 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll

- 2010-08-19 21:12 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll

+ 2010-08-19 21:12 . 2011-11-04 19:20 247808 c:\windows\system32\dllcache\ieproxy.dll

- 2008-04-14 00:41 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2008-04-14 00:41 . 2011-11-04 19:20 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2010-08-19 21:14 . 2011-11-04 19:20 743424 c:\windows\system32\dllcache\iedvtool.dll

- 2010-08-19 21:14 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll

+ 2008-04-14 00:41 . 2011-11-04 19:20 387584 c:\windows\system32\dllcache\iedkcs32.dll

- 2008-04-14 00:41 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2008-04-14 00:42 . 2011-11-04 11:24 174080 c:\windows\system32\dllcache\ie4uinit.exe

- 2008-04-14 00:42 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe

+ 2008-04-14 00:41 . 2011-10-18 11:13 186880 c:\windows\system32\dllcache\encdec.dll

- 2008-04-14 00:41 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll

- 2008-04-14 00:41 . 2011-09-09 09:12 599040 c:\windows\system32\dllcache\crypt32.dll

+ 2008-04-14 00:41 . 2011-09-28 07:06 599040 c:\windows\system32\dllcache\crypt32.dll

+ 2008-04-14 00:41 . 2011-09-28 07:06 599040 c:\windows\system32\crypt32.dll

- 2008-04-14 00:41 . 2011-09-09 09:12 599040 c:\windows\system32\crypt32.dll

+ 2011-12-30 03:23 . 2011-12-30 03:23 223744 c:\windows\Installer\a53db7.msi

+ 2011-12-30 03:43 . 2011-12-30 03:43 301056 c:\windows\Installer\3f1f7.msi

+ 2011-12-30 03:35 . 2011-08-22 23:48 916480 c:\windows\ie8updates\KB2618444-IE8\wininet.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 105984 c:\windows\ie8updates\KB2618444-IE8\url.dll

+ 2011-12-30 03:35 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2618444-IE8\spuninst\updspapi.dll

+ 2011-12-30 03:35 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2618444-IE8\spuninst\spuninst.exe

+ 2011-12-30 03:35 . 2011-08-22 23:48 206848 c:\windows\ie8updates\KB2618444-IE8\occache.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 611840 c:\windows\ie8updates\KB2618444-IE8\mstime.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 602112 c:\windows\ie8updates\KB2618444-IE8\msfeeds.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 247808 c:\windows\ie8updates\KB2618444-IE8\ieproxy.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 184320 c:\windows\ie8updates\KB2618444-IE8\iepeers.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 743424 c:\windows\ie8updates\KB2618444-IE8\iedvtool.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 387584 c:\windows\ie8updates\KB2618444-IE8\iedkcs32.dll

+ 2011-12-30 03:35 . 2011-08-22 11:56 174080 c:\windows\ie8updates\KB2618444-IE8\ie4uinit.exe

+ 2011-04-19 04:51 . 2011-04-19 04:51 3781960 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90u.dll

+ 2011-04-19 04:51 . 2011-04-19 04:51 3766600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90.dll

+ 2011-12-30 03:25 . 2011-11-21 08:47 6823496 c:\windows\Temp548E5E15-390C-E344-0A26-337298CFC5FD-Signatures\mpengine.dll

+ 2010-03-20 06:22 . 2011-11-04 19:20 1212416 c:\windows\system32\urlmon.dll

- 2010-03-20 06:22 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 1740800 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvwssr.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 1257472 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvwss.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 2977792 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvvitvsr.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 2924544 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvvitvs.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 5632000 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvoglnt.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 2859008 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvmoblsr.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 2916352 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvgamesr.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 3100672 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvgames.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 5246976 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvdispsr.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 5652480 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvdisps.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 7618560 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nvcpl.dll

+ 2011-12-30 18:51 . 2006-10-29 00:16 3925920 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nv4_mini.sys

+ 2011-12-30 18:51 . 2006-10-29 00:16 4529408 c:\windows\system32\ReinstallBackups\0010\DriverFiles\nv4_disp.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 1740800 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvwssr.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 1257472 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvwss.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 2977792 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvvitvsr.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 2924544 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvvitvs.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 5632000 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvoglnt.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 2859008 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvmoblsr.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 2916352 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvgamesr.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 3100672 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvgames.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 5246976 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvdispsr.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 5652480 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvdisps.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 7618560 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nvcpl.dll

+ 2011-12-30 06:31 . 2006-10-29 00:16 3925920 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nv4_mini.sys

+ 2011-12-30 06:31 . 2006-10-29 00:16 4529408 c:\windows\system32\ReinstallBackups\0008\DriverFiles\nv4_disp.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 1740800 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvwssr.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 1257472 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvwss.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 2977792 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvvitvsr.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 2924544 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvvitvs.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 5632000 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvoglnt.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 2859008 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvmoblsr.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 2916352 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvgamesr.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 3100672 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvgames.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 5246976 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvdispsr.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 5652480 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvdisps.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 7618560 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nvcpl.dll

+ 2011-12-30 05:44 . 2006-10-29 00:16 3925920 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nv4_mini.sys

+ 2011-12-30 05:44 . 2006-10-29 00:16 4529408 c:\windows\system32\ReinstallBackups\0007\DriverFiles\nv4_disp.dll

+ 2011-05-21 12:01 . 2011-05-21 12:01 2808936 c:\windows\system32\nvcuvid.dll

+ 2011-05-21 12:01 . 2011-05-21 12:01 2082408 c:\windows\system32\nvcuvenc.dll

+ 2010-03-20 06:21 . 2011-11-04 19:20 5978112 c:\windows\system32\mshtml.dll

- 2009-03-08 09:32 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll

+ 2009-03-08 09:32 . 2011-11-04 19:20 2000384 c:\windows\system32\iertutil.dll

+ 2011-11-05 16:41 . 2012-01-02 23:52 1474832 c:\windows\system32\drivers\sfi.dat

+ 2010-03-20 06:22 . 2011-11-23 13:25 1859584 c:\windows\system32\dllcache\win32k.sys

+ 2010-03-20 06:22 . 2011-11-04 19:20 1212416 c:\windows\system32\dllcache\urlmon.dll

- 2010-03-20 06:22 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll

+ 2008-04-14 00:42 . 2011-11-01 16:07 1288704 c:\windows\system32\dllcache\ole32.dll

+ 2006-10-29 00:16 . 2006-10-29 00:16 4529408 c:\windows\system32\dllcache\nv4_disp.dll

- 2010-02-17 14:10 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe

+ 2010-02-17 14:10 . 2011-10-25 13:33 2192768 c:\windows\system32\dllcache\ntoskrnl.exe

- 2010-08-19 21:17 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe

+ 2010-08-19 21:17 . 2011-10-25 12:52 2027008 c:\windows\system32\dllcache\ntkrpamp.exe

+ 2010-08-19 21:17 . 2011-10-25 12:52 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe

- 2010-08-19 21:17 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe

- 2010-08-19 21:17 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe

+ 2010-08-19 21:17 . 2011-10-25 13:37 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe

+ 2010-03-20 06:21 . 2011-11-04 19:20 5978112 c:\windows\system32\dllcache\mshtml.dll

+ 2010-08-19 21:12 . 2011-11-04 19:20 2000384 c:\windows\system32\dllcache\iertutil.dll

- 2010-08-19 21:12 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll

+ 2011-12-23 18:47 . 2011-12-23 18:47 8685568 c:\windows\Installer\159b34.msi

+ 2011-12-30 03:35 . 2011-08-22 23:48 1212416 c:\windows\ie8updates\KB2618444-IE8\urlmon.dll

+ 2011-12-30 03:35 . 2011-10-03 08:35 5971456 c:\windows\ie8updates\KB2618444-IE8\mshtml.dll

+ 2011-12-30 03:35 . 2011-08-22 23:48 2000384 c:\windows\ie8updates\KB2618444-IE8\iertutil.dll

+ 2010-02-17 14:10 . 2011-10-25 13:33 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe

- 2010-02-17 14:10 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2010-08-19 21:17 . 2011-10-25 12:52 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe

- 2010-08-19 21:17 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe

+ 2010-08-19 21:17 . 2011-10-25 12:52 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe

- 2010-08-19 21:17 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe

- 2010-08-19 21:17 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe

+ 2010-08-19 21:17 . 2011-10-25 13:37 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe

+ 2011-05-21 12:01 . 2011-05-21 12:01 13004800 c:\windows\system32\nvcompiler.dll

+ 2010-08-19 21:14 . 2011-12-07 17:44 52988224 c:\windows\system32\MRT.exe

- 2009-03-08 09:39 . 2011-08-23 22:48 11081728 c:\windows\system32\ieframe.dll

+ 2009-03-08 09:39 . 2011-11-04 19:20 11081728 c:\windows\system32\ieframe.dll

- 2010-08-19 21:12 . 2011-08-23 22:48 11081728 c:\windows\system32\dllcache\ieframe.dll

+ 2010-08-19 21:12 . 2011-11-04 19:20 11081728 c:\windows\system32\dllcache\ieframe.dll

+ 2011-12-30 03:35 . 2011-08-23 22:48 11081728 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-24 13529088]

"nwiz"="nwiz.exe" [2008-07-24 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-24 86016]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoRecentDocsNetHood"= 01000000

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^cscbridgeobj.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\cscbridgeobj.exe

backup=c:\windows\pss\cscbridgeobj.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winadslcenter.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\winadslcenter.exe

backup=c:\windows\pss\winadslcenter.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Zipkey check for hotkey.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Zipkey check for hotkey.LNK

backup=c:\windows\pss\Zipkey check for hotkey.LNKCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

2009-11-11 22:23 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Schedule"=2 (0x2)

"UPS"=3 (0x3)

"ERSvc"=2 (0x2)

"ProtectedStorage"=2 (0x2)

"MBAMService"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"CLPSLS"=2 (0x2)

"cmdAgent"=2 (0x2)

"BITS"=2 (0x2)

"wuauserv"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Utilities\\WinRescue XP\\RescueXP.exe"=

.

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [10/7/2011 6:48 PM 18056]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 6:48 PM 494816]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 6:48 PM 31704]

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/08/19 16:06];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [3/13/2010 11:58 AM 87536]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2011 10:02 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2011 10:02 PM 22216]

S1 MpKsl26e9fd02;MpKsl26e9fd02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4EB15357-908E-4D73-8342-D614637712DB}\MpKsl26e9fd02.sys [?]

S1 MpKsl43c68d5d;MpKsl43c68d5d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKsl43c68d5d.sys [?]

S1 MpKsl99fa371a;MpKsl99fa371a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0720D13B-A366-40E1-A227-9AEE34F67A2A}\MpKsl99fa371a.sys [?]

S1 MpKslc07ae0a5;MpKslc07ae0a5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B3BCD84-3E6D-4C3D-86C0-C0E854F1BCF1}\MpKslc07ae0a5.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kybfn0ej.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-ADUserMon - c:\program files\Iomega\AutoDisk\ADUserMon.exe

MSConfigStartUp-Deskup - c:\program files\Iomega\DriveIcons\deskup.exe

MSConfigStartUp-Iomega Drive Icons - c:\program files\Iomega\DriveIcons\ImgIcon.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-02 18:02

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwClose

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(524)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'lsass.exe'(584)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'csrss.exe'(492)

c:\windows\system32\cmdcsr.dll

.

Completion time: 2012-01-02 18:04:13

ComboFix-quarantined-files.txt 2012-01-03 00:04

ComboFix2.txt 2011-12-28 19:12

ComboFix3.txt 2011-12-20 23:37

ComboFix4.txt 2011-12-12 22:07

ComboFix5.txt 2012-01-02 23:57

.

Pre-Run: 46,973,419,520 bytes free

Post-Run: 47,211,601,920 bytes free

.

- - End Of File - - 611E53CD6FAC6BD9686CE6F773FEAEC3

-----------------------------------------------------------

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 18:44:03 on 2012-01-02

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1115 [GMT -6:00]

.

AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: COMODO Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-explorer: NoSMMyDocs = 01000000

uPolicies-explorer: NoSMMyPictures = 01000000

uPolicies-explorer: NoRecentDocsNetHood = 01000000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\kybfn0ej.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-10-7 18056]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-10-7 494816]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-10-7 31704]

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/08/19 16:06:55];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-10-7 1960584]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-3 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-3 22216]

S1 MpKsl26e9fd02;MpKsl26e9fd02;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4eb15357-908e-4d73-8342-d614637712db}\mpksl26e9fd02.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4eb15357-908e-4d73-8342-d614637712db}\MpKsl26e9fd02.sys [?]

S1 MpKsl43c68d5d;MpKsl43c68d5d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\mpksl43c68d5d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\MpKsl43c68d5d.sys [?]

S1 MpKsl99fa371a;MpKsl99fa371a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0720d13b-a366-40e1-a227-9aee34f67a2a}\mpksl99fa371a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0720d13b-a366-40e1-a227-9aee34f67a2a}\MpKsl99fa371a.sys [?]

S1 MpKslc07ae0a5;MpKslc07ae0a5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\mpkslc07ae0a5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3bcd84-3e6d-4c3d-86c0-c0e854f1bcf1}\MpKslc07ae0a5.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?]

.

=============== Created Last 30 ================

.

2012-01-01 15:12:49 -------- d-----w- C:\VritualRoot

2011-12-30 18:52:40 446464 ----a-w- c:\windows\system32\nvudisp.exe

2011-12-30 18:52:40 446464 ----a-r- c:\windows\system32\nvuninst.exe

2011-12-30 06:34:18 1703936 ----a-w- c:\windows\system32\nvwdmcpl.dll

2011-12-30 06:29:11 -------- d-----w- c:\windows\nview

2011-12-30 05:44:57 -------- d-----w- c:\windows\NV38842224.TMP

2011-12-30 04:20:15 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-12-30 04:20:15 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-12-30 04:20:15 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-12-30 04:19:54 -------- d-----w- c:\program files\NVIDIA Corporation

2011-12-30 03:25:35 -------- d-----w- c:\windows\Temp548E5E15-390C-E344-0A26-337298CFC5FD-Signatures

2011-12-30 01:45:04 -------- d-----w- c:\documents and settings\owner\application data\Auslogics

2011-12-30 01:44:54 -------- d-----w- c:\program files\Auslogics

2011-12-23 18:46:52 -------- d-----w- c:\documents and settings\all users\application data\Comodo

2011-12-23 18:46:48 -------- d-----w- c:\program files\COMODO

2011-12-23 18:46:03 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader

2011-12-20 23:15:39 -------- d-----w- c:\windows\NV12601528.TMP

2011-12-20 23:14:45 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll

2011-12-20 23:14:44 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll

2011-12-20 23:14:44 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll

2011-12-20 23:14:44 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe

2011-12-20 23:14:44 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll

2011-12-20 23:14:44 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll

2011-12-20 23:14:39 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll

2011-12-20 23:14:38 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll

2011-12-20 22:44:00 -------- d-----w- c:\windows\NV14041528.TMP

2011-12-19 22:08:14 -------- d-----w- C:\Lanfire

2011-12-12 23:47:20 -------- d-----w- c:\program files\Support Tools

2011-12-12 22:32:24 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-12-12 22:32:24 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys

2011-12-12 20:55:10 98816 ----a-w- c:\windows\sed.exe

2011-12-12 20:55:10 518144 ----a-w- c:\windows\SWREG.exe

2011-12-12 20:55:10 256000 ----a-w- c:\windows\PEV.exe

2011-12-12 20:55:10 208896 ----a-w- c:\windows\MBR.exe

2011-12-05 18:39:08 -------- d-sha-r- C:\cmdcons

2011-12-05 18:39:02 -------- d-----w- c:\windows\setup.pss

2011-12-04 04:02:31 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-04 04:02:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2012-01-01 23:49:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-19 18:59:21 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-12-19 18:59:20 494816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-12-19 18:59:19 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-12-19 18:58:56 33984 ----a-w- c:\windows\system32\cmdcsr.dll

2011-12-19 18:58:55 301224 ----a-w- c:\windows\system32\guard32.dll

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-05 16:38:09 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-11-05 16:38:09 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-26 00:57:40 41680 ----a-w- c:\windows\system32\drivers\hcowlqdp.sys

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 18:44:48.06 ===============

Link to post
Share on other sites

  • Staff

Hi,

Remove Microsoft Security Essentials manually by running the Fix It tool in this Microsoft article:

http://support.microsoft.com/kb/2435760

Reboot after.

I see you installed Registry cleaners at some point. They do little, if any, good, and can often cause damage. I highly recommend uninstalling these:

A1Click Ultra PC Cleaner 1.01 (Registered Version)

RegVac Registry Cleaner 5.02 (Registered Version)

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Java™ 6 Update 21

Restart your computer.

Get the latest version of Java

Also update Firefox; ensure that you are using version 9.

Let me know what issues remain.

Link to post
Share on other sites

Hi,

Remove Microsoft Security Essentials manually by running the Fix It tool in this Microsoft article:

http://support.microsoft.com/kb/2435760

Reboot after.

I see you installed Registry cleaners at some point. They do little, if any, good, and can often cause damage. I highly recommend uninstalling these:

A1Click Ultra PC Cleaner 1.01 (Registered Version)

RegVac Registry Cleaner 5.02 (Registered Version)

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Java™ 6 Update 21

Restart your computer.

Get the latest version of Java

Also update Firefox; ensure that you are using version 9.

Let me know what issues remain.

Hi Chris,

Per your instructions I used the Fixit tool to remove Security Essentials then rebooted. I uninstalled A1 Click and Regvac.

I downloaded TFC and ran it. It displayed it's screen and then stopped. I waited about an hour, then used Task Mgr to check it. It then displayed "TFC (Not Responding)" in the title bar. Tried it several more times with the same results, even downloaded it several more times. Since the computer locked up each time I tried, I had to turn off the computer each time before re-booting.

Uninstalled Comodo (because I couldn't control it) and reinstalled Security Essentials.

Followed your uninstall instructions for Combofix, it looked like it was going to run again, but it finally uninstalled.

Security check is gone.

Uninstalled Java 6. and reinstalled from Java website.

My main concern at this time is the fact that TFC locks up the computer.

What should I do now? Mike

Link to post
Share on other sites

  • Staff

Try this instead:

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot. See if TFC locks up now.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.