Jump to content

Recommended Posts

Hi there

I have a long-standing problem on my computer, which, after a few months, I thought was caused by a Vundo trojan (detected by SuperAntiSpyware). The problem seemed to be resolved after Vundo was removed by SuperAntiSpyware. However 3 months later (as in the last couple of weeks) it returned.

I did some more searching on the net and found recommendations for Malwarebytes. Downloaded it this evening and did a full scan. It froze every time it got to some installer files. I'd read about scanning in safe mode, so then did a full scan in safe mode. It ran fine in safe mode and found 4 items. I removed them but I'm now worried about 2 of them, in case my system needs them. They're to do with security - anti-virus and firewall, so I'm worried. Then again it uses the word "disabled", so maybe it was disabling my anti-virus and firewall without me knowing, in which case, I'm glad they've been removed! I haven't a clue what any of it means though, so don't know if it's good or bad. Those 2 are not in the quarantine, so I can't restore them if they are needed.

Please could someone look at my log and explain to me what all 4 of the items are please and whether I should have removed them. Two of them say malware, so I'm not so worried about those but still want to know what they are, as I then want to find out if they could have been part of my computer problem (which I'll explain to you afterwards if you need to know).

Thanks very much in advance and here's the log:-

Malwarebytes' Anti-Malware 1.35

Database version: 1940

Windows 5.1.2600 Service Pack 3

04/04/2009 23:50:11

mbam-log-2009-04-04 (23-50-11).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 229551

Time elapsed: 1 hour(s), 48 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Please run the following.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

  • Root Admin

The registry items are simply being flagged due to them possibly being changed by Malware. Often they could have been changed by you but there is no way to tell so it is flagged that its not at its correct default value. If you fix it then they will be set back to their default levels.

The other registry entry is from an old entry of something that was since removed from the system and it's only a tag/marker if you will.

The Try Media is the only one that is actually potentially an AD marketing type tool that should be removed.

Just as a note, we do so many logs that we really don't have time to often explain what or why its wrong here in the forum since we're here to remove it, not educate about every infection. At the end we'll provide you with some educational information of how to stay clean though. If you're really interested in learning more about Malware there are schools that will train you so that you'll know a lot more about it and you to can help others. If interested let me know.

Thanks.

Link to post
Share on other sites

Hi there again and thanks very much for your latest reply and for answering my questions, especially, as you point out, that isn't usually done here.

The reason I was asking, however, was I didn't want to follow your instructions blindly, not knowing why they were necessary. For instance, I haven't even told you what my computer problem is. So, it seemed strange to be taking such drastic action (sounds drastic to me, reading about ComboFix and the Windows Recovery Console and the chance of things going wrong! Scary stuff for a non techie!).

My original problem which recurred recently after disappearing for over 3 months, was and is a problem with the desktop and Explorer.exe at start-up. It always was an intermittent problem (occuring once a week or once every 2 weeks) and first occurred after downloading XP Service Pack 3. I assumed it was something to do with this and contacted Microsoft. They had me doing some diagnostic tests in the Msconfig utility but I never got to the bottom of what was causing it. Then I read about a similar (but more serious) problem on a forum and that Vundo had caused it and SuperAntiSpyware had identified and removed it and their problem was then solved. So, I downloaded and scanned with SuperAntiSpyware and sure enough, I had a Vundo trojan, so I removed it with the software. I was sure my problem was solved, as it went away, as I said, for over 3 months.

What happens is, at start-up, the icons on the desktop don't finish loading and when I hover over the taskbar, I get the sandtimer icon. I cannot open the start menu either. The only thing I can do is open task manager with Ctrl + Alt + Del and select restart. I then get a window saying Explorer.exe is not responding. I click on end now and my computer resarts. Everything is always fine after the restart.

As I said though, the problem is intermittent and only happens, at the most, once a week. So, it's more of a niggly problem than anything too serious (touch wood!).

I contacted SuperAntiSpyware yesterday before I'd found out about malwarebytes and asked them whether they thought Vundo could still be lurking somewhere, even though their software wasn't picking it up anymore in the scans. They said the symptoms I described didn't sound like a Vundo infection.

Then I downloaded malwarebytes and came here with the results.

So, that's the history of my problem and apologies in advance, as you said, I should be just sending reports here! I still think it's best you know all the facts before I go any further though.

It would be great to learn more and then help others but I have a chronic illness, so sorting out my own problems is exhausting for me, so I don't think I'd have the mental energy to help others unfortunately. Thanks for asking though.

All the best.

Link to post
Share on other sites

  • Root Admin

Well you can run this tool which is not as invasive as Combofix but it can't do repair either so depending on what it does find we may end up running combofix anyways.

Please run the following tool, all it does is scan and report things. No changes are made to your system.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Here are the logs:-

DDS (Ver_09-03-16.01) - FAT32x86

Run by Flatau at 19:23:48.67 on 10/04/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.446 [GMT 1:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)

FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\eManager\anbmServ.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\acer\epm\epm-dm.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Arcade\PCMService.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\VM_STI.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\acer\eRecovery\Monitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Flatau\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.everyclick.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mDefault_Page_URL = hxxp://global.acer.com

mSearch Page =

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

mRun: [epm-dm] c:\acer\epm\epm-dm.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [speedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup

mRun: [PCMService] "c:\program files\arcade\PCMService.exe"

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [LManager] c:\program files\launch manager\QtZgAcer.EXE

mRun: [LaunchApp] Alaunch

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [eRecoveryService] c:\windows\system32\Check.exe

mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot

mRun: [bigDogPath] c:\windows\VM_STI.EXE Cammaestro 4.2GU build 1104.72

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

StartupFolder: c:\docume~1\flatau\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\uleadp~1.lnk - c:\program files\ulead systems\ulead photo express 4.0 se\CalCheck.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {108CAEAB-CCCC-4E95-BD61-5A9780802CDA} - hxxp://www.cig.canon-europe.com/ph/en_GB/st/download/ipd/cnipd01_1_000203E.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133487510875

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-19 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-19 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-19 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090408.002\IDSXpx86.sys [2009-4-10 276344]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]

R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2005-11-10 4096]

R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-11-10 78208]

R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-19 115560]

R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-1-14 4010]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-13 101936]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090410.003\NAVENG.SYS [2009-4-10 89104]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090410.003\NAVEX15.SYS [2009-4-10 876144]

S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\flatau\local settings\temporary internet files\content.ie5\k6pf26o6\sabkutil.sys --> c:\documents and settings\flatau\local settings\temporary internet files\content.ie5\k6pf26o6\SABKUTIL.sys [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-10-10 33752]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-11-10 30336]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

S3 ZSMC302;Cammaestro 4.2GU build 1104.72;c:\windows\system32\drivers\usbvm302.sys [2005-11-9 195263]

=============== Created Last 30 ================

2009-04-04 20:13 <DIR> --d----- c:\docume~1\flatau\applic~1\Malwarebytes

2009-04-04 20:13 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-04-04 20:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-04 20:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-04-04 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-03-24 17:33 73,728 a------- c:\windows\system32\javacpl.cpl

2009-03-17 04:42 244 a---h--- C:\sqmnoopt07.sqm

2009-03-17 04:42 232 a---h--- C:\sqmdata07.sqm

==================== Find3M ====================

2009-03-19 00:17 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS

2009-03-19 00:17 60,808 a------- c:\windows\system32\S32EVNT1.DLL

2009-03-19 00:17 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT

2009-03-19 00:17 805 a------- c:\windows\system32\drivers\SYMEVENT.INF

2009-03-12 09:03 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll

2009-02-11 02:25 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf

2009-02-11 02:25 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys

2009-02-09 11:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys

2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll

2008-08-21 20:18 133,227,519 a------- c:\program files\OOo_2.4.1_Win32Intel_install_wJRE_en-US.exe

2008-05-29 21:56 37,375 a------- c:\program files\openoffice.org-xsltfilter.cab

2008-05-29 21:56 2,490,452 a------- c:\program files\openoffice.org-writer.cab

2008-05-29 21:56 207,388 a------- c:\program files\openoffice.org-testtool.cab

2008-05-29 21:56 2,504,975 a------- c:\program files\openoffice.org-pyuno.cab

2008-05-29 21:55 51,973 a------- c:\program files\openoffice.org-onlineupdate.cab

2008-05-29 21:55 1,090,334 a------- c:\program files\openoffice.org-math.cab

2008-05-29 21:55 118,910 a------- c:\program files\openoffice.org-javafilter.cab

2008-05-29 21:55 1,254,017 a------- c:\program files\openoffice.org-impress.cab

2008-05-29 21:55 919,329 a------- c:\program files\openoffice.org-draw.cab

2008-05-29 21:55 86,870 a------- c:\program files\openoffice.org-graphicfilter.cab

2008-05-29 21:55 2,769 a------- c:\program files\openoffice.org-emailmerge.cab

2008-05-29 21:55 2,031,954 a------- c:\program files\openoffice.org-core09.cab

2008-05-29 21:55 293,078 a------- c:\program files\openoffice.org-core08.cab

2008-05-29 21:55 3,842,531 a------- c:\program files\openoffice.org-core07.cab

2008-05-29 21:54 28,847,705 a------- c:\program files\openoffice.org-core06.cab

2008-05-29 21:50 18,634,513 a------- c:\program files\openoffice.org-core05.cab

2008-05-29 21:49 16,503,595 a------- c:\program files\openoffice.org-core04.cab

2008-05-29 21:48 9,117,929 a------- c:\program files\openoffice.org-core03.cab

2008-05-29 21:48 3,860,980 a------- c:\program files\openoffice.org-core02.cab

2008-05-29 21:47 15,104,219 a------- c:\program files\openoffice.org-core01.cab

2008-05-29 21:47 4,694,039 a------- c:\program files\openoffice.org-calc.cab

2008-05-29 21:47 1,803,630 a------- c:\program files\openoffice.org-base.cab

2008-05-29 21:46 43,005 a------- c:\program files\openoffice.org-activex.cab

2008-08-19 02:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 19:24:25.01 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 10/11/2005 07:45:31

System Uptime: 04/10/2009 16:08:52 (-4245 hours ago)

Motherboard: Acer, Inc. | | Crane II

Processor: Intel® Pentium® M processor 1.73GHz | U1 | 1728/533mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 36 GiB total, 8.526 GiB free.

D: is FIXED (FAT32) - 36 GiB total, 27.151 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Intel® PRO/Wireless 2200BG Network Connection

Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&1D3F0FBB&0&18F0

Manufacturer: Intel® Corporation

Name: Intel® PRO/Wireless 2200BG Network Connection

PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&1D3F0FBB&0&18F0

Service: w29n51

Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}

Description: Intel PCIC compatible PCMCIA controller

Device ID: ROOT\PCMCIA\0000

Manufacturer: Intel

Name: Intel PCIC compatible PCMCIA controller

PNP Device ID: ROOT\PCMCIA\0000

Service: pcmcia

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}

Description: Nokia 7373

Device ID: ROOT\WPD\0000

Manufacturer: Nokia

Name: Nokia 7373

PNP Device ID: ROOT\WPD\0000

Service: WUDFRd

==== System Restore Points ===================

RP13: 11/02/2009 01:15:26 - Software Distribution Service 3.0

RP14: 11/02/2009 02:24:54 - Installed Windows XP Wdf01007.

RP15: 11/02/2009 02:52:15 - Removed Nokia Software Updater.

RP16: 13/02/2009 19:00:26 - Software Distribution Service 3.0

RP17: 14/02/2009 21:08:00 - System Checkpoint

RP18: 16/02/2009 03:17:36 - System Checkpoint

RP19: 17/02/2009 00:25:01 - Software Distribution Service 3.0

RP20: 17/02/2009 16:37:09 - Software Distribution Service 3.0

RP21: 17/02/2009 16:51:42 - Printer Driver Microsoft XPS Document Writer Installed

RP22: 17/02/2009 16:56:17 - Software Distribution Service 3.0

RP23: 18/02/2009 20:02:29 - System Checkpoint

RP24: 20/02/2009 04:04:50 - System Checkpoint

RP25: 20/02/2009 22:51:59 - Software Distribution Service 3.0

RP26: 22/02/2009 18:10:09 - System Checkpoint

RP27: 23/02/2009 15:27:56 - Software Distribution Service 3.0

RP28: 24/02/2009 17:13:06 - System Checkpoint

RP29: 25/02/2009 18:09:36 - Software Distribution Service 3.0

RP30: 26/02/2009 21:58:54 - System Checkpoint

RP31: 27/02/2009 17:57:22 - Software Distribution Service 3.0

RP32: 28/02/2009 18:11:11 - System Checkpoint

RP33: 02/03/2009 04:55:35 - System Checkpoint

RP34: 02/03/2009 17:52:42 - Software Distribution Service 3.0

RP35: 03/03/2009 20:52:50 - System Checkpoint

RP36: 05/03/2009 03:42:42 - System Checkpoint

RP37: 05/03/2009 19:44:17 - Software Distribution Service 3.0

RP38: 05/03/2009 19:54:28 - Software Distribution Service 3.0

RP39: 06/03/2009 22:25:40 - System Checkpoint

RP40: 08/03/2009 02:24:47 - System Checkpoint

RP41: 09/03/2009 04:11:47 - System Checkpoint

RP42: 09/03/2009 16:10:08 - Software Distribution Service 3.0

RP43: 09/03/2009 22:55:50 - Windows Defender Checkpoint

RP44: 10/03/2009 16:20:55 - Software Distribution Service 3.0

RP45: 11/03/2009 17:13:39 - System Checkpoint

RP46: 12/03/2009 03:00:15 - Software Distribution Service 3.0

RP47: 12/03/2009 19:00:17 - Software Distribution Service 3.0

RP48: 14/03/2009 18:10:32 - Software Distribution Service 3.0

RP49: 15/03/2009 20:46:39 - System Checkpoint

RP50: 16/03/2009 19:00:22 - Software Distribution Service 3.0

RP51: 17/03/2009 20:36:50 - System Checkpoint

RP52: 19/03/2009 00:59:00 - System Checkpoint

RP53: 19/03/2009 19:00:58 - Software Distribution Service 3.0

RP54: 21/03/2009 03:45:32 - System Checkpoint

RP55: 22/03/2009 22:40:36 - System Checkpoint

RP56: 23/03/2009 17:02:51 - Software Distribution Service 3.0

RP57: 24/03/2009 17:32:25 - Removed Java 6 Update 11

RP58: 24/03/2009 17:32:59 - Installed Java 6 Update 12

RP59: 25/03/2009 17:54:42 - System Checkpoint

RP60: 26/03/2009 16:43:17 - Software Distribution Service 3.0

RP61: 27/03/2009 20:01:52 - System Checkpoint

RP62: 28/03/2009 20:10:13 - System Checkpoint

RP63: 30/03/2009 19:00:21 - Software Distribution Service 3.0

RP64: 31/03/2009 16:45:19 - Installed Java 6 Update 13

RP65: 01/04/2009 21:11:51 - System Checkpoint

RP66: 02/04/2009 17:23:11 - Software Distribution Service 3.0

RP67: 03/04/2009 20:36:16 - System Checkpoint

RP68: 05/04/2009 18:44:05 - System Checkpoint

RP69: 06/04/2009 19:00:10 - Software Distribution Service 3.0

RP70: 07/04/2009 19:27:54 - System Checkpoint

RP71: 10/04/2009 17:57:59 - System Checkpoint

==== Installed Programs ======================

4oD

ACDSee 32

Acer eManager for Notebook

Acer eNetManagement

Acer ePowerManagement

Acer GridVista

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.1

Adobe Shockwave Player

Adobe

Link to post
Share on other sites

  • Root Admin

Do you really use and want this as your home page? Start Page = hxxp://www.everyclick.co.uk/

Yes, your system is infected and we need to run Combofix in order to remove it.

There are other tools but they too have the possibility of damaging the system too.

Malware is an evil thing and can be tricky to remove at times but we do our best to try and keep your system as safe as we can.

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
SABKUTIL
NPF

File::
c:\documents and settings\flatau\local settings\temporary internet files\content.ie5\k6pf26o6\sabkutil.sys
c:\windows\system32\drivers\npf.sys
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Link to post
Share on other sites

Hi there

Thanks very much for your ongoing help. It's really appreciated. I really hope the infection is what's causing my intermittent boot problem. I'd be so happy to be rid of the problem and not keep trying to work out what's causing it!

I do like everyclick as my home page, as it's a search engine that gives money to charity each time you click on a link. The charity for my illness is supported and as it gets no funding from the government for research, so every penny counts! If it's causing problems to my computer though, I guess I would have to stop using it.

I'll try and follow your instructions today but I'm not feeling too good, so forgive me if it takes a few days again.

All the best and thanks again.

Link to post
Share on other sites

As I suspected, I wasn't feeling well enough to follow your instructions today but when I am, have you any idea how to turn off script blocking in Norton Internet Security version 16.5.0.135? When you asked me to do this for the last scan, I couldn't find any settings to turn it off, so thought maybe it didn't have script blocking. Because Combofix isn't so straight forward as the last scan you asked me to do, I thought I better check for sure this time, so did a search on the net and it seems my version does have script blocking but I can only find instructions of how to turn it off in earlier versions of norton (there are no "options" to select in my version. There are settings but I can't find anything about script blocking in them. Just thought you might know but if not, I'll have to contact Norton and ask them.

Thanks in advance.

Link to post
Share on other sites

  • Root Admin

Sorry to hear you're not feeling well again. No I don't think your home page is an issue, just wanted to make sure it was where you wanted it is all.

Please take a look at this post and see if it's able to help you with disabling your Anti-Virus stuff.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Link to post
Share on other sites

Hi there

Thanks for your latest reply and your kind words.

I'm glad my home page isn't causing problems, as I like to have it there, otherwise I'd forget to use it for searches.

Thanks for the link for Norton instructions. It didn't mention anything specifically about script blocking, so I've just had a live chat session with Norton to ask them if there's a way to temporarily disable the feature in my version. Turns out it doesn't have script blocking. I always ask lots of questions lol and asked why was that and wasn't it needed? They said, this feature isn't necessary, as Autoprotect, which is a real-time scanner protects my computer. So, I'll just turn off Autoprotect temporarily when I feel up to following your instructions for Combofix. That's what I did with the first scan you asked me to do.

Hope it won't be too long before I feel well enough to get on with it. I bet you don't have this problem with anyone else! Sorry, it's so slow.

All the best and bye for now.

Link to post
Share on other sites

  • Root Admin

No problem. You'd be surprised. I've had one post open for almost 3 months and the user was not sick. I should have closed the post, but he kept making promises so I let it drag on. Recently did close it though as the user just was not following directions and it wasn't going anywhere.

All right, we'll be here when you're ready. Just keep track of your post link as it will get buried quickly if you don't.

Happy Easter

Link to post
Share on other sites

Hi there

I've finally run Combofix!

Had a panic at the beginning, as when the message came up about the Recovery Console, I couldn't install it, as I couldn't reconnect to the internet and it needed to do so to install. So, it went straight on to do the scan when it couldn't install the Recovery Console.

I've read how to install the Recovery Console manually from the link you originally gave me to Bleeping Computer. Do I need to do this as I do already have the 3 Acer Recovery CDs which came with the computer when I bought it?

Here's the Combofix log:-

ComboFix 09-04-14.09 - Flatau 14/04/2009 21:57.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.534 [GMT 1:00]

Running from: c:\documents and settings\Flatau\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Flatau\Desktop\CFscript.txt

AV: Norton Internet Security *On-access scanning disabled* (Updated)

FW: Norton Internet Security *disabled*

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\documents and settings\flatau\local settings\temporary internet files\content.ie5\k6pf26o6\sabkutil.sys

C:\sqmdata07.sqm

C:\sqmnoopt07.sqm

c:\windows\system32\drivers\npf.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\sqmdata07.sqm

C:\sqmnoopt07.sqm

c:\windows\Downloaded Program Files\ODCTOOLS

c:\windows\system32\autorun.ini

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

-------\Service_SABKUTIL

((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))

.

2009-04-14 16:26 . 2009-04-14 16:26 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-04-09 23:58 . 2009-04-09 23:59 -------- d-----w c:\documents and settings\Flatau\Local Settings\Application Data\SUPERSystemInspector

2009-04-04 19:13 . 2009-04-04 19:13 -------- d-----w c:\documents and settings\Flatau\Application Data\Malwarebytes

2009-04-04 19:13 . 2009-03-26 15:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-04 19:13 . 2009-03-26 15:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-04 19:13 . 2009-04-04 19:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-24 16:33 . 2009-03-09 01:53 73728 ----a-w c:\windows\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-14 16:26 . 2009-04-14 16:26 -------- d-----w c:\program files\iPod

2009-04-14 16:26 . 2009-04-14 16:26 -------- d-----w c:\program files\iTunes

2009-04-14 16:23 . 2009-04-14 16:23 -------- d-----w c:\program files\QuickTime

2009-04-11 21:42 . 2009-04-11 21:42 -------- d-----r c:\program files\Norton Support

2009-04-05 00:41 . 2009-04-05 00:41 -------- d-----w c:\program files\Windows Live Safety Center

2009-04-04 19:13 . 2009-04-04 19:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-18 23:17 . 2009-01-13 20:34 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2009-03-18 23:17 . 2009-01-13 20:34 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2009-03-18 23:17 . 2009-01-13 20:34 60808 ----a-w c:\windows\system32\S32EVNT1.DLL

2009-03-18 23:17 . 2009-01-13 20:34 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS

2009-03-12 08:03 . 2009-01-13 20:36 36400 ----a-r c:\windows\system32\drivers\SymIM.sys

2009-03-09 04:19 . 2009-01-13 19:10 410984 ----a-w c:\windows\system32\deploytk.dll

2009-02-17 15:52 . 2005-12-16 03:41 105952 ----a-w c:\documents and settings\Flatau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-02-17 15:45 . 2009-02-17 15:45 -------- d-----w c:\program files\MSBuild

2009-02-17 15:44 . 2009-02-17 15:44 -------- d-----w c:\program files\Reference Assemblies

2009-02-09 10:13 . 2008-10-16 15:20 1846784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-09 10:13 . 2005-03-30 10:38 1846784 ----a-w c:\windows\system32\win32k.sys

2009-01-17 21:43 . 2008-09-10 02:12 24 ----a-w C:\url_history.xml

2009-01-16 20:35 . 2005-03-30 10:38 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-08-21 19:18 . 2008-08-21 19:12 133227519 ----a-w c:\program files\OOo_2.4.1_Win32Intel_install_wJRE_en-US.exe

2008-05-29 20:56 . 2008-05-29 20:56 37375 ----a-w c:\program files\openoffice.org-xsltfilter.cab

2008-05-29 20:56 . 2008-05-29 20:56 2490452 ----a-w c:\program files\openoffice.org-writer.cab

2008-05-29 20:56 . 2008-05-29 20:56 207388 ----a-w c:\program files\openoffice.org-testtool.cab

2008-05-29 20:56 . 2008-05-29 20:55 2504975 ----a-w c:\program files\openoffice.org-pyuno.cab

2008-05-29 20:55 . 2008-05-29 20:55 51973 ----a-w c:\program files\openoffice.org-onlineupdate.cab

2008-05-29 20:55 . 2008-05-29 20:55 1090334 ----a-w c:\program files\openoffice.org-math.cab

2008-05-29 20:55 . 2008-05-29 20:55 118910 ----a-w c:\program files\openoffice.org-javafilter.cab

2008-05-29 20:55 . 2008-05-29 20:55 1254017 ----a-w c:\program files\openoffice.org-impress.cab

2008-05-29 20:55 . 2008-05-29 20:55 86870 ----a-w c:\program files\openoffice.org-graphicfilter.cab

2008-05-29 20:55 . 2008-05-29 20:55 919329 ----a-w c:\program files\openoffice.org-draw.cab

2008-05-29 20:55 . 2008-05-29 20:55 2769 ----a-w c:\program files\openoffice.org-emailmerge.cab

2008-05-29 20:55 . 2008-05-29 20:55 2031954 ----a-w c:\program files\openoffice.org-core09.cab

2008-05-29 20:55 . 2008-05-29 20:55 293078 ----a-w c:\program files\openoffice.org-core08.cab

2008-05-29 20:55 . 2008-05-29 20:55 3842531 ----a-w c:\program files\openoffice.org-core07.cab

2008-05-29 20:54 . 2008-05-29 20:54 28847705 ----a-w c:\program files\openoffice.org-core06.cab

2008-05-29 20:50 . 2008-05-29 20:50 18634513 ----a-w c:\program files\openoffice.org-core05.cab

2008-05-29 20:49 . 2008-05-29 20:49 16503595 ----a-w c:\program files\openoffice.org-core04.cab

2008-05-29 20:48 . 2008-05-29 20:48 9117929 ----a-w c:\program files\openoffice.org-core03.cab

2008-05-29 20:48 . 2008-05-29 20:48 3860980 ----a-w c:\program files\openoffice.org-core02.cab

2008-05-29 20:47 . 2008-05-29 20:47 15104219 ----a-w c:\program files\openoffice.org-core01.cab

2008-05-29 20:47 . 2008-05-29 20:47 4694039 ----a-w c:\program files\openoffice.org-calc.cab

2008-05-29 20:47 . 2008-05-29 20:47 1803630 ----a-w c:\program files\openoffice.org-base.cab

2008-05-29 20:46 . 2008-05-29 20:46 43005 ----a-w c:\program files\openoffice.org-activex.cab

2005-11-15 02:22 . 2005-11-15 02:22 129 ----a-w c:\documents and settings\Flatau\Local Settings\Application Data\fusioncache.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-03-28 188416]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]

"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 319488]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-07 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-07 126976]

"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]

"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-24 2880512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 344064]

"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Flatau\Start Menu\Programs\Startup\

OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2005-12-31 69632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-9-17 200704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

R3 ZSMC302;Cammaestro 4.2GU build 1104.72;c:\windows\system32\Drivers\usbvm302.sys [2005-01-13 195263]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-03-12 310320]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]

S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-03-18 482352]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090408.002\IDSxpx86.sys [2009-01-29 276344]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-27 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]

S2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-07-19 4096]

S2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-03-24 78208]

S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-12 115560]

S2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

.

Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

HKLM-Run-BigDogPath - c:\windows\VM_STI.EXE Cammaestro 4.2GU

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.everyclick.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

DPF: {108CAEAB-CCCC-4E95-BD61-5A9780802CDA} - hxxp://www.cig.canon-europe.com/ph/en_GB/st/download/ipd/cnipd01_1_000203E.cab

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-14 22:04

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3632)

c:\program files\CyberLink\Shared Files\CLRCEngine.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE

c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE

c:\acer\EMANAGER\ANBMSERV.EXE

c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE

c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE

c:\program files\BONJOUR\MDNSRESPONDER.EXE

c:\program files\JAVA\JRE6\BIN\JQS.EXE

c:\program files\KONTIKI\KSERVICE.EXE

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE

c:\windows\system32\wscntfy.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\windows\VM_STI.EXE

c:\program files\OpenOffice.org 2.4\program\soffice.exe

c:\program files\OpenOffice.org 2.4\program\soffice.BIN

c:\program files\iPod\bin\iPodService.exe

c:\program files\acer\eRecovery\Monitor.exe

.

**************************************************************************

.

Completion time: ~,10time:~,-3machine was rebootedCombobatch-by

ComboFix-quarantined-files.txt 2009-04-14 21:08

Pre-Run: 9,391,538,176 bytes free

Post-Run: 12,553,453,568 bytes free

247 --- E O F --- 2009-04-06 18:00

Link to post
Share on other sites

  • Root Admin

Great that looks better now.

Please click on the Malwarebytes on your program menu and select and uninstall your current version which shows to be version 1.34 and RESTART your computer.

Then download a new version 1.36 and install that and check for updates and get them, then reboot again.

After the reboot please run a Quick Scan and post back that log.

Download Malwarebytes

Link to post
Share on other sites

Thanks and I'm glad that looks better.

I'll follow the latest steps as soon as I can (hopefully in the next few days. Always have to say that just in case!).

What about the Recovery Console?

Off to bed now. Past 2 am here in the UK. Are you in the US?

All the best and speak to you soon.

Link to post
Share on other sites

  • Root Admin

In general the Recovery Console is often needed by Combofix to remove some items, in your case it was able to remove without it.

It is a good option to have and leave installed though unless you have a physical Windows XP CD to boot from, in your case you have a recovery which is not the same thing.

I won't press it as I know you're not feeling well though and your system seems to have gotten through that portion okay.

Just note that any documents, mail, pictures, etc that you have or create should be backed up on external media such as a USB drive and/or a CD/DVD disk. Hardware can go bad, and destructive viruses can happen which could some day put your data in jeopardy. Having a backup could get you out of a jam some day.

Link to post
Share on other sites

I also have the Aspire System CD. Wouldn't that have Windows XP on it? The computer came with XP pre-installed. The Aspire System CD says on the label: The software included on this CD was pre-installed on your hard drive at the factory and may only be used for backup and recovery of your Acer computer system.

If that's still not the right thing, I can download the Recovery Console when I feel up to it. I just got put off a bit when I read Microsoft's instructions that said they strongly recommend booting from the CD if you have it and only download if you haven't.

Thanks in advance.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.