Jump to content

Why so slow?

DRC

By DRC
in Resolved Malware Removal Logs

 Share

Recommended Posts

DRC

DRC

Posted
Posted

I have quick scanned with Malwarebytes Anti Malware and one was found and eliminated.

I used DDS and will post the Malwarebytes log and the dds.txt and attach.txt.

Malwarebytes log:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.06.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

DRC :: HOME-306GHZ [administrator]

Protection: Enabled

2/6/2012 2:04:32 PM

mbam-log-2012-02-06 (14-04-32).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 232025

Time elapsed: 33 minute(s), 12 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\WINDOWS\system32\winexplorer.dll.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

DDS.txt:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by DRC at 15:57:02 on 2012-02-06

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.345 [GMT -8:00]

.

AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

.

============== Running Processes ===============

.

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

svchost.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe

C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ofps.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uCustomizeSearch =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll

BHO: Yahoo! Companion BHO: {13f537f0-af09-11d6-9029-0002b31f9e59} - c:\program files\yahoo!\common\ycomp5,0,8,0.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,0,8,0.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [TaskTray] "c:\program files\creative\sbaudigy\taskbar\CTLTray.exe"

uRun: [TaskBar] "c:\program files\creative\sbaudigy\taskbar\CTLTask.exe"

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9

uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run

mRun: [WINDVDPatch] "CTHELPER.EXE"

mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"

mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"

mRun: [nwiz] "nwiz.exe" /install

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Jet Detection] "c:\program files\creative\sbaudigy\program\ADGJDet.exe"

mRun: [NWEReboot]

mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"

mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k

mRun: [spySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zoneal~1.lnk - c:\program files\zone labs\zonealarm\zapro.exe

mPolicies-explorer: <NO NAME> =

IE: &Add animation to IncrediMail Style Box

IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program

files\yahoo!\common\ylogin.dll

IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program

files\yahoo!\messenger\yhexbmes.dll

LSP: c:\windows\system32\VetRedir.dll

Trusted Zone: aol.com\free

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -

hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/0318eaecac3cfbc8e900/netzip/RdxIE601.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093371062406

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38234.7090277778

DPF: {A3009861-330C-4E10-822B-39D16EC8829D} - hxxp://ravantivirus.com/scan/ravonline.cab

DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab

DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} - hxxp://www.microsoft.com/security/controls/DoomCln.CAB

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/SymAData.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - hxxp://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

TCP: DhcpNameServer = 172.16.0.1

TCP: Interfaces\{77AF8AFA-E82D-49C0-8B1F-B1E12D9639B5} : DhcpNameServer = 172.16.0.1

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: WRNotifier - WRLogonNTF.dll

SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft

antispyware\shellextension.dll

LSA: Notification Packages = :\windows\system32\srr

.

============= SERVICES / DRIVERS ===============

.

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]

R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2007-6-16 26352]

R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2007-6-16 21104]

R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2010-6-11 746216]

R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2007-6-16 21488]

R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-6-16 32240]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements

7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]

R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2007-6-16 144960]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-6 652360]

R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2007-6-16 238928]

R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-11-15 188240]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-25

4048240]

R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-8 1178728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-6 20464]

R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2010-6-11 130280]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]

.

=============== Created Last 30 ================

.

2012-02-06 22:02:34 -------- d-----w- c:\documents and settings\drc\application data\Malwarebytes

2012-02-06 22:02:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-02-06 22:02:18 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-06 22:02:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2012-01-03 22:39:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2002-08-29 12:00:00 94784 --sha-w- c:\windows\twain.dll

2008-04-14 12:42:08 50688 --sha-w- c:\windows\twain_32.dll

2008-04-14 12:42:04 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 12:42:34 11776 --sha-w- c:\windows\system32\regsvr32.exe

2004-08-04 08:56:46 83456 --sha-w- c:\windows\system32\SET279.tmp

2004-08-04 08:56:44 343040 --sha-w- c:\windows\system32\SET2CA.tmp

2004-08-04 08:56:44 413696 --sha-w- c:\windows\system32\SET2CB.tmp

2004-08-04 08:56:44 54784 --sha-w- c:\windows\system32\SET2CC.tmp

2004-08-04 08:56:44 1028096 --sha-w- c:\windows\system32\SET32E.tmp

.

============= FINISH: 16:00:03.88 ===============

Attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 4/30/2003 7:41:00 PM

System Uptime: 2/6/2012 1:40:50 PM (3 hours ago)

.

Motherboard: Intel Corporation | | D845PESV

Processor: Intel® Pentium® 4 CPU 3.06GHz | J2E1 | 3065/133mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 36.19 GiB free.

D: is Removable

E: is CDROM ()

F: is CDROM ()

G: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1173: 12/27/2011 10:30:37 AM - Printer Driver AdobePS Acrobat Distiller Installed

RP1174: 1/4/2012 2:23:49 PM - System Checkpoint

.

==== Installed Programs ======================

.

.

Adobe AIR

Adobe Common File Installer

Adobe Flash Player 11 ActiveX

Adobe Help Center 2.0

Adobe Illustrator 8.0

Adobe Photoshop Elements 7.0

Adobe Photoshop.com Inspiration Browser

Adobe Premiere Elements 2.0

Adobe Reader 7.0.9

Ahead Nero Burning ROM

AiO_Scan_CDA

American Greetings CreataCard Platinum 6

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Arts & Letters EXPRESS 7.0 Office

Autoplay Repair 2.2.0

Belarc Advisor 7.2

Bonjour

CA Anti-Virus

CCleaner (remove only)

DesignPro 5.0 Media Edition

DocProc

DocProcQFolder

DVD Shrink 3.2

Easy CD & DVD Creator 6

EasyBCD 1.7.2

GoldWave v4.26

Google Toolbar for Internet Explorer

GPL Ghostscript

GSview 4.9

HijackThis 1.99.1

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB976098-v2)

HP Photosmart, Officejet and Deskjet 7.0.A

Image Expert

InstallShield for Microsoft Visual C++ 6

Intel® PRO Ethernet Adapter and Software

Internet Explorer Q903235

IrfanView (remove only)

IsoBuster 1.7

iTunes

Java 6 Update 14

jv16 PowerTools 1.4.1

Kaspersky Online Scanner

Macromedia Dreamweaver 4

Macromedia Extension Manager

Macromedia Fireworks 4

Macromedia Flash 5

Macromedia Flash MX

Macromedia Shockwave Player

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft AntiSpyware

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Disc 2

Microsoft Office 2000 Premium

Microsoft Visual Studio 6.0 Professional Edition

Microsoft Web Publishing Wizard 1.52

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 and SOAP Toolkit 3.0

MSXML 4.0 SP2 Parser and SDK

MyDVD

Norton Ghost

NVIDIA Windows 2000/XP Display Drivers

OCR Software by I.R.I.S 7.0

OmniForm 5.0

PE Builder v3.1.3

PhotoshopdotcomInspirationBrowser

QuickTime

Remote Machine Debugging

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

ShellRun

Shockwave

ShowBiz

Sonic CinePlayer

Sothink SWF Decompiler

Sothink SWF Quicker

Sound Blaster Audigy

SpeedFan (remove only)

Spy Sweeper

Spy Sweeper Core

Total Commander (Remove or Repair)

TurboTax Deluxe 2004

TurboTax Deluxe 2005

TurboTax Deluxe Deduction Maximizer 2006

TurboTax ItsDeductible 2005

TurboTax ItsDeductible 2006

Undisker

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB972636)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Visual InterDev Server

WebFldrs XP

WebReg

WexTech AnswerWorks

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format Runtime

Windows Media Player 9 Hotfix [see KB885492 for more information]

Windows XP Service Pack 3

WinDriver Ghost 2.02

WinRAR archiver

Yahoo! Login

Yahoo! Messenger Explorer Bar

ZoneAlarm Pro

.

==== Event Viewer Messages From Past Week ========

.

2/6/2012 3:57:18 PM, error: Service Control Manager [7016] - The OmniForm Printer service has reported an invalid current state 0.

2/6/2012 1:37:43 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.

.

==== End Of File ===========================

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Slowness isn't always caused bt infections

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista / Windows 7Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
DRC

DRC

Posted
  • Author
Posted

OK I used both downloads and did the sacn.

Combofix wouldn't work unless I removed CA Antivirus 8.0. I tried put it to sleep but combofix didn't like that. Then I had problems with ZoneAlarm firewall (old,old version) so uninstalled that. Didn't have the orig software for either so after Combofix did it's scan I put Avast free Antivirus/spyware. The computer is much faster now.

Can you please tell me if it was something that Combofix repaired (and what was repaired or eliminated) or the elimination of the two programs.

Thanks very much for your time:

Combofix Log.........

ComboFix 12-02-13.01 - DRC 02/14/2012 13:16:57.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.533 [GMT -8:00]

Running from: c:\documents and settings\DRC\Desktop\SPAM STUFF\ComboFix\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\DragToDiscUserNameF.txt

c:\documents and settings\All Users\Application Data\DragToDiscUserNameG.txt

c:\documents and settings\DRC\My Documents\Readiris.DUS

c:\documents and settings\DRC\WINDOWS

c:\program files\Common Files\Uninstall

c:\program files\Common Files\Uninstall\PAV\Uninstall.lnk

c:\windows\Downloaded Program Files\rave

c:\windows\Downloaded Program Files\rave\avirexe.vdm

c:\windows\Downloaded Program Files\rave\avirscr.vdm

c:\windows\Downloaded Program Files\rave\base.vdm

c:\windows\Downloaded Program Files\rave\daily.vdm

c:\windows\Downloaded Program Files\rave\daily.vdt

c:\windows\Downloaded Program Files\rave\filters.vdm

c:\windows\Downloaded Program Files\rave\kernel.vdk

c:\windows\Downloaded Program Files\rave\keyring.vdk

c:\windows\Downloaded Program Files\rave\mapi_vdm.vdm

c:\windows\Downloaded Program Files\rave\modules.vdk

c:\windows\Downloaded Program Files\rave\rav8def.vdm

c:\windows\Downloaded Program Files\rave\rufs.vdm

c:\windows\Downloaded Program Files\rave\rufsplg.vdm

c:\windows\Downloaded Program Files\rave\unarch.vdm

c:\windows\Downloaded Program Files\rave\unmail.vdm

c:\windows\Downloaded Program Files\rave\unpack.vdm

c:\windows\Downloaded Program Files\RdXIe.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_004196_.tmp.dll

c:\windows\system32\_004197_.tmp.dll

c:\windows\system32\_004198_.tmp.dll

c:\windows\system32\_004199_.tmp.dll

c:\windows\system32\_004206_.tmp.dll

c:\windows\system32\_004207_.tmp.dll

c:\windows\system32\_004208_.tmp.dll

c:\windows\system32\_004209_.tmp.dll

c:\windows\system32\_004211_.tmp.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))

.

.

2012-02-14 19:54 . 2012-02-14 19:55 -------- d-----w- c:\windows\system32\ZA Save

2012-02-14 17:55 . 2008-04-14 12:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2012-02-06 22:02 . 2012-02-06 22:02 -------- d-----w- c:\documents and settings\DRC\Application Data\Malwarebytes

2012-02-06 22:02 . 2012-02-06 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-02-06 22:02 . 2012-02-06 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-06 22:02 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-03 22:39 . 2011-06-12 01:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2002-08-29 12:00 94784 --sha-w- c:\windows\twain.dll

2008-04-14 12:42 50688 --sha-w- c:\windows\twain_32.dll

2008-04-14 12:42 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 12:42 11776 --sha-w- c:\windows\system32\regsvr32.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TaskTray"="c:\program files\Creative\SBAudigy\TaskBar\CTLTray.exe" [2001-06-29 163840]

"TaskBar"="c:\program files\Creative\SBAudigy\TaskBar\CTLTask.exe" [2001-09-20 122880]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-20 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]

"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 40960]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]

"nwiz"="nwiz.exe" [2002-11-08 315392]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2002-11-08 4243456]

"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-03-06 6308728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iM StartCenter.lnk]

backup=c:\windows\pss\iM StartCenter.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]

backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm Pro.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk

backup=c:\windows\pss\ZoneAlarm Pro.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^DRC^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\DRC\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^DRC^Start Menu^Programs^Startup^Camio Viewer.lnk]

path=c:\documents and settings\DRC\Start Menu\Programs\Startup\Camio Viewer.lnk

backup=c:\windows\pss\Camio Viewer.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^DRC^Start Menu^Programs^Startup^Day Runner PC Tool Bar.lnk]

backup=c:\windows\pss\Day Runner PC Tool Bar.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]

2001-07-03 21:12 176128 ----a-w- c:\windows\system32\BMUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

2005-02-11 05:32 473920 ----a-w- c:\program files\Microsoft AntiSpyware\gcasServ.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 08:00 90112 ----a-w- c:\windows\Updreg.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 2:24 PM 29808]

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 2:11 PM 5632]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/6/2012 2:02 PM 652360]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [4/8/2009 8:13 AM 1178728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/6/2012 2:02 PM 20464]

S3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/3/2007 3:37 PM 47360]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

*Deregistered* - IPVNMon

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

2012-02-13 c:\windows\Tasks\User_Feed_Synchronization-{1593D0D6-924E-4629-827A-923E91358229}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uCustomizeSearch =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Add animation to IncrediMail Style Box

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

Trusted Zone: aol.com\free

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 172.16.0.1

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-NWEReboot - (no file)

SafeBoot-svcWRSSSDK

MSConfigStartUp-ICQ Lite - c:\program files\ICQLite\ICQLite.exe

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

AddRemove-ZoneAlarm Pro - c:\program files\Zone Labs\ZoneAlarm\zauninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-14 13:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2944)

c:\windows\system32\WININET.dll

c:\windows\system32\ctagent.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.exe

c:\progra~1\Symantec\NORTON~1\GHOSTS~2.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\System32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Webroot\WebrootSecurity\SpySweeper.exe

c:\windows\system32\CTHELPER.EXE

c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Webroot\WebrootSecurity\SSU.EXE

.

**************************************************************************

.

Completion time: 2012-02-14 13:33:17 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-14 21:33

.

Pre-Run: 40,706,801,664 bytes free

Post-Run: 40,552,869,888 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

;

;Warning: Boot.ini is used on Windows XP and earlier operating systems.

;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.

;

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /FASTDETECT /NOEXECUTE=OPTIN

.

- - End Of File - - C9F95185E7146748C6D68E8786B3937C

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted 

 

Can you please tell me if it was something that Combofix repaired (and what was repaired or eliminated) or the elimination of the two programs.

That's hard to say as I don't what CF removed unless the Rave stuff was from Rave Anti-Virus.

I don't see anything else that looks bad.

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.