Jump to content

Is my system clean? And some questions.


Recommended Posts

  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Well you may want to run this first then just to make sure.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

This will automatically check the Disk and file structure for errors and correct them if it can.

Link to post
Share on other sites

Here is the ChkDisk log:

Checking file system on C:

The type of the file system is NTFS.

Cleaning up minor inconsistencies on the drive.

Cleaning up 3224 unused index entries from index $SII of file 0x9.

Cleaning up 3224 unused index entries from index $SDH of file 0x9.

Cleaning up 3224 unused security descriptors.

CHKDSK is verifying Usn Journal...

Usn Journal verification completed.

312536542 KB total disk space.

72349420 KB in 242259 files.

127016 KB in 13567 indexes.

0 KB in bad sectors.

474558 KB in use by the system.

65536 KB occupied by the log file.

239585548 KB available on disk.

4096 bytes in each allocation unit.

78134135 total allocation units on disk.

59896387 allocation units available on disk.

Internal Info:

60 29 04 00 5d e7 03 00 ce e5 05 00 00 00 00 00 `)..]...........

e8 ce 02 00 02 00 00 00 1a 10 00 00 00 00 00 00 ................

2e 2c 45 10 00 00 00 00 ce 6a 2a 64 01 00 00 00 .,E......j*d....

2c 62 69 5d 00 00 00 00 00 00 00 00 00 00 00 00 ,bi]............

00 00 00 00 00 00 00 00 28 80 6c d5 01 00 00 00 ........(.l.....

b0 ff b1 8e 00 00 00 00 90 38 07 00 53 b2 03 00 .........8..S...

00 00 00 00 00 b0 db 3f 11 00 00 00 ff 34 00 00 .......?.....4..

Windows has finished checking your disk.

Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----------------------

Is it ok to run Dial-a-fix now?

Link to post
Share on other sites

I just re-read the Dial-a-fix instructions on the steps to go through before running it. I've done almost everything on the list.

I didn't run the memory test (because I didn't know which version to download, and you said you didn't think it was necessary anyway).

I didn't flash the BIOS (and definitely won't, unless you advise otherwise).

BUT -- I haven't run Windows Update and installed all service packs and patches. Specifically, I have not installed SP3. (I am going through these steps to make sure my system is clean before trying to install it.) So is it okay to run Dial-a-fix even though I haven't installed SP3? (Other than that, I believe my system is up-to-date with regard to all critical updates.)

Link to post
Share on other sites

  • Root Admin

Yes, In my opinion that is part of what Dial-a-fix is for is to repair the system so that you can get online and do updates normally or fix other issues with IE that prevent some things from working correctly. As I said before most of those articles are written sort of as an I TOLD YOU SO just in case something were to go wrong.

Will it go wrong? I doubt it.

Can it go wrong? Yes it can, but you could push the power button and have it not work too. Sometimes things happen and you don't have much control over it.

I know you're probably wanting assurance from me that everything will be okay. I'm sorry but I can not assure you 100% that it will be okay, but I can tell you that I've run it on many systems with no ill affect and I know of many others that have run it with no ill affect and it has repaired many things and done the job it was designed to do.

Beyond backing up your data there really isn't much else I'd do except run it.

Link to post
Share on other sites

I know you can't give guarantees... Ok, I am off to run Dial-a-fix.

A question about installing the Windows Recovery Console. Am I understanding correctly that you want me to install the console manually before running ComboFix? The instructions at http://www.bleepingcomputer.com/combofix/h...manual_recovery say that if you have a Windows CD, you can use the instructions on http://www.bleepingcomputer.com/tutorials/tutorial117.html to install the Console. The Windows CD I have is the "Reinstallation CD - Microsoft Windows XP Pro including SP1" from Dell. I assume that is sufficient?

Otherwise, I can follow the other instructions given at http://www.bleepingcomputer.com/combofix/h...manual_recovery for users without a Windows CD.

Thanks!

Link to post
Share on other sites

  • Root Admin

Hi there. Well maybe the instructions haven't been updated for a while or I have not read them for CF for a while. I used it just last week and left it connected to the Internet and I allowed it to download and install the Recovery Console for me all on it's own. I did not have a CD or download anything manually on my own.

I would give that a try and see if it works for you or not.

As for the Dial-a-fix, others may choose other options, but I choose to let it do everything. There really should not be any harm unless one of your core Microsoft files has been infected in which case it could potentially re-enable an infection, but that would be rare.

Basically it is just automating what you could do yourself at the command line in a DOS console if you knew all the files and commands to run.

It un-registers certain MS files (which removes entries from the Registry) then it re-registers those files (which re-links the COM automation and puts back certain entries in the Registry) Then it renames a couple of folders and then recreates new folders, etc...

The end result is that in "most" cases it repairs features and functions of Windows that often either poor installers have caused or hardware shut downs have corrupted, etc. It is not a 100% fix all, but it does correct a lot of things that are just hard to track down and fix on their own so it uses sort of a blanket approach to resetting everything.

Link to post
Share on other sites

Hi -- I ran Dia-a-fix (without untoward incident, as you predicted). Can't really tell if anything is different... but I'm sure there are probably some improvements. Was about to run CF, but someone here needs the computer (we only have one), so I will run it later today.

(By the way, regarding CF, I had misunderstood your earlier instructions to mean that I should install the recovery console FIRST, meaning before running CF. Hence, my Q's about the Windows CD. I will run CF and let it handle the installation of the recovery console.)

Link to post
Share on other sites

Hi -- Well, before I got to running CF (and I will download a fresh copy when I'm ready to run it), I realized that I can no longer send and receive mail with Outlook Express using my Verizon DSL email acct. I just spent about 40 min on the phone with Verizon, deleting and re-installing the account and all the parameters, but it didn't help. And Verizon assures me that there is no problem with their mail servers. So I think Dial-a-fix screwed up something in Outlook Express, but I have no idea what or how to fix it.

I can use the program (compose mail, read mail, move between folders, etc), but I cannot send or receive.

Any ideas?

Link to post
Share on other sites

Ok, it's a FW problem. When I turn off the Avast mail scanner, I can send/receive. I installed an Avast program update earlier today. So then I got a FW msg about the mail scanner. I thought I allowed it, but maybe I hit the wrong button, bec there's an entry in the security log that says user denied change. So I have to figure out how to allow it.

Link to post
Share on other sites

Ok -- I've run ComboFix.

It was a bit unnerving at times. The CF instructions I had printed didn't mention the reboot after the scan. So at first, I was scared to touch the machine to log back into the admin user acct where CF was running. I waited 10 min, then logged in. CF started to run, then paused and alerted me that my AV was running. Well, all my background programs opened! So I closed all. But I had a real dilemma, because the Sygate FW interface wasn't showing. This is a problem I have with Sygate, and is one of the reasons I plan to switch to Comodo. Sygate doesn't always load promptly -- but I think sometimes it is just the user interface that isn't showing, and the program is running in the background anyway. (It doesn't show in Task Manger, even with the interface showing, so I don't know how to check this.) Anyway, I was unsure about clicking ok to the AV alert, and letting ComboFix run even tho the FW might be running or loading. But I was scared to load Sygate and exit it, since CF was saying "don't run any programs". I finally decided to resume CF and hope for the best, and things worked out fine.

After CF finished running, I restarted my background anti-malware. WinPatrol alerted me that my default search page for IE had changed from Google to some Microsoft search page. I decided to allow it, and will change it back later. Then WinPatrol alerted me of a change in my HOSTS file, which I also allowed.

I am posting the CF log below.

Later, I will run RootRepeal and HJT scan. Need a bit of a break now...

********************************************************************************

********

**************************** COMBOFIX LOG **********************************************

ComboFix 09-02-07.01 - (ADMIN_USER) 2009-02-08 13:34:54.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2101 [GMT -5:00]

Running from: c:\documents and settings\(ADMIN_USER)\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090208-0] *On-access scanning disabled* (Updated)

AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated)

FW: Norton Internet Worm Protection *enabled*

FW: Sygate Personal Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\open.ico

c:\windows\Web\default.htt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))

.

2009-02-07 09:33 . 2009-02-08 13:34 <DIR> d-------- c:\windows\system32\CatRoot2

2009-02-06 00:19 . 2009-02-06 00:19 <DIR> d-------- c:\program files\HD Tune

2009-01-31 00:02 . 2009-01-31 00:02 250 --a------ c:\windows\gmer.ini

2009-01-30 22:58 . 2009-01-30 22:58 0 --a------ c:\windows\system32\REN13.tmp

2009-01-30 22:58 . 2009-01-30 22:58 0 --a------ c:\windows\system32\REN12.tmp

2009-01-18 19:07 . 2009-01-18 19:07 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-18 18:32 . 2009-01-18 18:32 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-01-16 21:07 . 2009-01-16 21:07 <DIR> d-------- c:\documents and settings\(USER_:D\Application Data\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-30 06:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-30 06:04 --------- d-----w c:\program files\Common Files\Adaptec Shared

2009-01-30 04:37 --------- d-----w c:\program files\a-squared Anti-Dialer

2009-01-29 04:19 --------- d-----w c:\documents and settings\(USER_N)\Application Data\Apple Computer

2009-01-24 04:03 --------- d-----w c:\documents and settings\(USER_D)\Application Data\XnView

2009-01-18 23:46 118,784 ----a-w c:\windows\SeaMonkeyUninstall.exe

2009-01-18 23:45 118,784 ----a-w c:\windows\GREUninstall.exe

2009-01-18 18:57 --------- d-----w c:\documents and settings\(USER_D)\Application Data\Apple Computer

2009-01-17 21:12 --------- d-----w c:\program files\a-squared Free

2009-01-17 21:08 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-17 21:06 --------- d-----w c:\program files\SpywareBlaster

2009-01-17 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP

2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-02 04:27 --------- d-----w c:\program files\Panda Security

2009-01-02 00:21 --------- d-----w c:\program files\iTunes

2009-01-02 00:21 --------- d-----w c:\program files\iPod

2009-01-02 00:21 --------- d-----w c:\program files\Bonjour

2009-01-02 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2009-01-02 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-02 00:20 --------- d-----w c:\program files\Common Files\Apple

2009-01-01 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\CCleaner

2009-01-01 20:47 --------- d-----w c:\program files\SUPERAntiSpyware

2008-12-27 18:37 --------- d-----w c:\program files\IObit

2008-12-14 03:19 --------- d-----w c:\documents and settings\(ADMIN_USER)\Application Data\SanDisk

2008-12-13 21:46 --------- d-----w c:\documents and settings\(ADMIN_USER)\Application Data\Amazon

2008-12-13 21:38 --------- d-----w c:\documents and settings\(USER_D)\Application Data\Amazon

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-10-03 23:49 84,216 -c----w c:\documents and settings\(USER_N)\Application Data\GDIPFONTCACHEV1.DAT

2008-04-11 00:22 84,216 -c----w c:\documents and settings\(USER_D)\Application Data\GDIPFONTCACHEV1.DAT

2008-03-21 16:37 84,216 -c----w c:\documents and settings\(USER_:D\Application Data\GDIPFONTCACHEV1.DAT

2004-11-30 23:18 336,896 -c----w c:\documents and settings\(USER_D)\remote.exe

2004-04-10 17:43 266 ---h--w c:\program files\desktop.ini

2004-04-10 17:43 11,079 -c-h--w c:\program files\folder.htt

2001-05-24 17:59 162,304 ------w c:\program files\UNWISE.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Sygate Agent Firewall"="c:\program files\Sygate\SPF\Smc.exe" [2004-10-15 2577632]

"Windows Defender User Interface"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"StrokeIt"="c:\program files\Strokeit\strokeit.exe" [2005-02-17 21504]

"SansaDispatch"="c:\documents and settings\(ADMIN_USER)\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-12-13 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2006-07-20 230976]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"a-squared Anti-Dialer"="c:\program files\a-squared Anti-Dialer\a2adguard.exe" [2008-06-11 1497744]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\(ADMIN_USER)\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-11-24 728408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hueyPROTray.lnk - c:\program files\Pantone\hueyPRO\hueyPROTray.exe [2008-09-12 1081344]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-01-01 15:47 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wmfhotfix.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-01 28544]

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-05-20 15328]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-23 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared Anti-Dialer\a2service.exe [2007-06-20 421496]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-23 20560]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

S3 avgntdw;avgntdw;\??\c:\program files\AVPersonal\AVGNTDW.SYS --> c:\program files\AVPersonal\AVGNTDW.SYS [?]

S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;c:\windows\system32\drivers\hp53pw2k.sys [2003-09-14 131712]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

*Deregistered* - mchInjDrv

*Deregistered* - uphcleanhlp

.

Contents of the 'Scheduled Tasks' folder

2008-10-24 c:\windows\Tasks\BACKUP.job

- c:\windows\system32\ntbackup.exe [2004-08-04 02:56]

2009-02-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com

IE: &Google Search

IE: &Translate English Word

IE: Backward Links

IE: Cached Snapshot of Page

IE: Similar Pages

IE: Translate Page into English

Trusted Zone: adobe.com\www

Trusted Zone: akamai.net\a248.e

Trusted Zone: bitdefender.com

Trusted Zone: eset.com

Trusted Zone: eset.com\www

Trusted Zone: f-secure.com

Trusted Zone: f-secure.com\support

Trusted Zone: html-kit.com\www

Trusted Zone: lavasoft.com

Trusted Zone: lavasoft.de\www

Trusted Zone: lavasoftusa.com\www

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: microsoft.com\www

Trusted Zone: netflame.cc\ssl-hints

Trusted Zone: pandasecurity.com\www

Trusted Zone: secunia.com

Trusted Zone: secunia.com\psi

Trusted Zone: symantec.com\security

Trusted Zone: verizon.net\onlinehelp

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37540.cab

FF - ProfilePath - c:\documents and settings\(ADMIN_USER)\Application Data\Mozilla\Firefox\Profiles\ebtxti7b.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll

.

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-08 14:04:06

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\a-squared Free\a2service.exe

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\CTsvcCDA.EXE

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-02-08 14:06:48 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-08 19:06:45

Pre-Run: 244,946,087,936 bytes free

Post-Run: 244,782,620,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

245 --- E O F --- 2009-02-07 14:29:49

Link to post
Share on other sites

I wouldn't say for sure that any of the problems I experience on the computer are due to infections -- it seems to me that they might just as easily be due to problems with buggy software or patches. But I'm not sure...

(In the past, even when my scans have detected infections due to Trojans or Toolbars, I have never experienced symptoms such as browser hijacking, popups, slow downs, etc. Some infections turned out, after Googling, to be false positives, but some seemed to be real.)

The problems I am experiencing now are:

1. Problems with Word -- I have MS Word 2002 (10.6850.6845 SP2).

a) It tends to crash pretty often. Often this happens when I am closing the program. I have found that if often will crash if I close the program without first closing open documents. Even if I close documents, I need to pause before closing the program to prevent crashes.

:D Starting maybe about a month ago, I have to accept the end-user EULA each time I start the program! I've been assuming that this might be due to a Windows Update patch that is problematic.

I was hoping Dial-a-fix would fix my Word problems, but it hasn't. Perhaps I should try the "Detect and repair" option in the Word Help menu?

2. Problem with Adobe Reader 9.0 -- (Adobe Reader is also installed as a plug-in in Firefox)

I cannot always open pdf files on one (limited) user in Firefox (or outside of Firefox, either). Some files open fine, but for others, the error msg is "the file is damaged and cannot be repaired". Or sometimes it will display a blank page and say "done". However, if I switch to another (limited) user, the same file will open just fine.

I think I may have fixed this today. I opened Firefox>Tools>Applications. Various Adobe programs were listed (eg, Acrobat and Air). I didn't see Reader listed. When I searched for "pdf file", it seemed to indicate that pdf's were to be opened by Acrobat. I switched this to Adobe Reader 9, and could then open a file that I had been unable to open previously. I haven't experimented enough to know if this has resolved all my Adobe problems.

3. Often I get an "access denied" msg when I try to delete a file, even if I am on the admin acct. I don't think this is due to malware, though.

4. Sygate Personal Firewall doesn't load promptly -- or at least the user interface doesn't load promptly, though sometimes I think the program is actually running. I often seem to need to start it manually, though it is set to run at startup. (It also will only show the user interface to the user who logs on first, but this is a known issue.) However, this is a program which is no longer being maintained, so I am not that surprised that I am having problems with it. I plan to move to Comodo free firewall.

That's all I can think of right now, though I am sure there are other little annoyances that I try to live with or work around.

Sorry, I've gotten a bit behind schedule. I will run the scans you requested tomorrow. Thanks!

Link to post
Share on other sites

  • Root Admin

Perhaps I should try the "Detect and repair" option in the Word Help menu?

Yes, that would be a good idea.

If Problem 2 was not fixed by the change you made then it would probably be fixed by creating a NEW profile for Firefox. Google will show many tutorials on doing that if help is needed.

Then uninstall Acrobat Reader 9 first, then create the new profiles for Firefox. Reboot, then re-install Acrobat 9 (I would not get the Air myself as I've seen problems with it for some users)

#3 if anything has the file open or you have multiple windows open and try to delete it in the foreground, yet in the back ground the file is in use.

There is a program called Unlocker 1.87 you could try that will release what's holding it open. Unlocker

Yes, these are just typical computer annoyances and do not appear to be Malware related.

Link to post
Share on other sites

Thanks for the suggestions. I wasn't actually trying to install Adobe Air -- it just came along when I updated Adobe Reader (see http://get.adobe.com/reader/). Now that I have looked it up, I can't see why I'd ever want it. Maybe I can uninstall it.

In Add/Remove, the following are installed:

Acrobat.com ver 1.1.377

Adobe AIR

Adobe Flash Player 10 Plug-in

Adobe Reader 9

I don't really understand the inter-dependence of these programs, and why Adobe makes you install them all. And it seems like Acrobat is still labeled 'beta' -- are they, essentially, forcing you to test their beta software? (http://www.adobe.com/products/reader/ : "Create PDF files with Adobe

Link to post
Share on other sites

Oh, and regarding using Detect and Repair for Word...I understand you need to have your Word installation discs available. I have a set of CD's supplied by Dell that came with my computer. They contain MS Works Suite 2003, and Disc 1 of the set contains Microsoft Word 2002.

So if Detect and Repair wants my original installation disc, will that work? I'm worried because it is so old -- pre-SP1, I believe (certainly pre-SP2), and many, many patches out-of-date.

I am always a little worried that my original installation disc's won't be recognized/usable.

Link to post
Share on other sites

Here are my MBAM and HJT logs. I will run RootRepeal later today.

*************** MBAM quick scan **************

Malwarebytes' Anti-Malware 1.33

Database version: 1742

Windows 5.1.2600 Service Pack 2

2/10/2009 9:51:29 AM

mbam-log-2009-02-10 (09-51-29).txt

Scan type: Quick Scan

Objects scanned: 67734

Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***** END MBAM QUICK SCAN *****

****************************

****** HJT LOG ***************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:53:40 AM, on 2/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Strokeit\strokeit.exe

C:\Documents and Settings\(ADMIN_USER)\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\a-squared Anti-Dialer\a2service.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.bitdefender.com

O15 - Trusted Zone: http://*.lavasoft.com

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185414703250

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37540.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--

End of file - 10753 bytes

Link to post
Share on other sites

And here is my RootRepeal log:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/10 12:45

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB6531000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79B5000 Size: 8192 File Visible: No

Status: -

Name: giveio.sys

Image Path: giveio.sys

Address: 0xF7A50000 Size: 1664 File Visible: No

Status: -

Name: hiber_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS

Address: 0xF799F000 Size: 8192 File Visible: No

Status: -

Name: mchInjDrv.sys

Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Address: 0xB38FB000 Size: 2560 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB40C9000 Size: 45056 File Visible: No

Status: -

Name: speedfan.sys

Image Path: speedfan.sys

Address: 0xF798F000 Size: 5248 File Visible: No

Status: -

Name: uphcleanhlp.sys

Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys

Address: 0xB3E9F000 Size: 6752 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22b30

#: 025 Function Name: NtClose

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb65796b8

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6579574

#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf226f0

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6579a52

#: 066 Function Name: NtDeviceIoControlFile

Status: Hooked by "IPVNMon.sys" at address 0xf7850b23

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657914c

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22470

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657964e

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657908c

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb65790f0

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22c50

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657976e

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657972e

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb65798ae

#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22990

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf228d0

#: 263 Function Name: NtUnloadKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xb3e9f63c

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22d60

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.