Jump to content

My computer is possesed, please help


Recommended Posts

Hi all, long time viewer, first time poster. My computer is extremely slow. I ran MBAM and it found a couple of vundo trojans, but my computer is still lagging. Here is the HJT file. Please help!

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 7:10:51 PM, on 2/4/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\Roxio\Media Experience\DMXLauncher.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

F:\Unlock.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

C:\DOCUME~1\Aaron\LOCALS~1\Temp\EPM7.tmp\Symanremovaltool.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\tugivugi.dll

O21 - SSODL: MwDDfUmercFUzz - {E88CCFDE-4226-6574-F736-401CBDDC6AC1} - (no file)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 10833 bytes

I tried an online HJT analyzer, and it suggested I delete a few files, but I thought I would consult with you guys first.

Aaron

Moderator edit to place 2 logs In-Line ~ Maurice

Hi.. I am also installing logs from MBAM and AVIRA.

MBAM...

Malwarebytes' Anti-Malware 1.44

Database version: 3691

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/5/2010 6:30:02 AM

mbam-log-2010-02-05 (06-30-01).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)

Objects scanned: 186338

Time elapsed: 3 hour(s), 52 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

AVIRA...

Avira AntiVir Personal

Report file date: Thursday, February 04, 2010 22:15

Scanning for 1727978 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : BLACKICE-4FCBCC

Version information:

BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 17:26:33

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:35:52

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:45:28

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:25:15

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 01:25:13

VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 01:25:14

VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 01:25:14

VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 01:25:14

VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 01:25:14

VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 01:25:14

VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 01:25:15

VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 01:25:15

VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 01:25:15

VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 01:25:15

VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 01:25:15

VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 01:25:24

VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 03:00:08

VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 03:01:37

VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 02:58:27

VBASE018.VDF : 7.10.3.200 2048 Bytes 2/4/2010 02:58:27

VBASE019.VDF : 7.10.3.201 2048 Bytes 2/4/2010 02:58:28

VBASE020.VDF : 7.10.3.202 2048 Bytes 2/4/2010 02:58:28

VBASE021.VDF : 7.10.3.203 2048 Bytes 2/4/2010 02:58:28

VBASE022.VDF : 7.10.3.204 2048 Bytes 2/4/2010 02:58:28

VBASE023.VDF : 7.10.3.205 2048 Bytes 2/4/2010 02:58:29

VBASE024.VDF : 7.10.3.206 2048 Bytes 2/4/2010 02:58:29

VBASE025.VDF : 7.10.3.207 2048 Bytes 2/4/2010 02:58:29

VBASE026.VDF : 7.10.3.208 2048 Bytes 2/4/2010 02:58:30

VBASE027.VDF : 7.10.3.209 2048 Bytes 2/4/2010 02:58:30

VBASE028.VDF : 7.10.3.210 2048 Bytes 2/4/2010 02:58:31

VBASE029.VDF : 7.10.3.211 2048 Bytes 2/4/2010 02:58:31

VBASE030.VDF : 7.10.3.212 2048 Bytes 2/4/2010 02:58:32

VBASE031.VDF : 7.10.3.213 20992 Bytes 2/4/2010 02:58:32

Engineversion : 8.2.1.158

AEVDF.DLL : 8.1.1.3 106868 Bytes 1/23/2010 01:25:25

AESCRIPT.DLL : 8.1.3.13 823674 Bytes 2/3/2010 03:01:16

AESCN.DLL : 8.1.4.0 127348 Bytes 1/28/2010 01:25:20

AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 13:38:44

AERDL.DLL : 8.1.3.4 479605 Bytes 1/16/2010 00:46:07

AEPACK.DLL : 8.2.0.5 422262 Bytes 1/16/2010 00:46:05

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 13:38:38

AEHEUR.DLL : 8.1.1.4 2326899 Bytes 2/3/2010 03:01:08

AEHELP.DLL : 8.1.10.0 237942 Bytes 1/16/2010 00:45:59

AEGEN.DLL : 8.1.1.86 369012 Bytes 2/3/2010 03:00:33

AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 13:38:26

AECORE.DLL : 8.1.11.1 184694 Bytes 2/3/2010 03:00:23

AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 13:38:20

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 21:14:02

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 18:25:47

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Thursday, February 04, 2010 22:15

Starting search for hidden objects.

'50834' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'logon.scr' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'mbam.exe' - '1' Module(s) have been scanned

Scan process 'gmerrootkit.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'CPSHelpRunner.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'DrgToDsc.exe' - '1' Module(s) have been scanned

Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned

Scan process 'RoxWatchTray9.exe' - '1' Module(s) have been scanned

Scan process 'issch.exe' - '1' Module(s) have been scanned

Scan process 'VPTray.exe' - '1' Module(s) have been scanned

Scan process 'ccApp.exe' - '1' Module(s) have been scanned

Scan process 'SearchProtection.exe' - '1' Module(s) have been scanned

Scan process 'Rtvscan.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'mdm.exe' - '1' Module(s) have been scanned

Scan process 'McciCMService.exe' - '1' Module(s) have been scanned

Scan process 'DefWatch.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'SPBBCSvc.exe' - '1' Module(s) have been scanned

Scan process 'ccEvtMgr.exe' - '1' Module(s) have been scanned

Scan process 'ccSetMgr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

47 processes with 47 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '58' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

End of the scan: Friday, February 05, 2010 02:38

Used time: 4:23:08 Hour(s)

The scan has been done completely.

8144 Scanned directories

389715 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

389713 Files not concerned

3190 Archives were scanned

2 Warnings

2 Notes

50834 Objects were scanned with rootkit scan

0 Hidden objects were found

Thanks again for your help

NOTE @ Ablake06 Do be patient and wait your turn for an expert to reply to you.

Do NOT make any further replies until then.

Using "bump" is bad netiquette.

Link to post
Share on other sites

Hello,

If you are a casual viewer, do NOT try this on your system!

If you are not member ablake06 and have a similar problem, do NOT post here; start your own topic

This is customized specifically for this system and none other !

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs before you run these tools.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

Step 4

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :files
    C:\WINDOWS\system32\tugivugi.dll
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "MwDDfUmercFUzz"=-

    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 5

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or other tools.

Kaspersky is a report only and does not remove files.

Step 6

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of OTL MovedFiles log
  • the contents of Kaspersky scan log
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

Make your replies on the forum please. If the Kaspersky scan is stuck, then close the browser window.

Skip to the next step to get and run Security Check.

and post copy of the OTL MovedFiles log and Checkup.txt

and give some detail on how things are now.

Link to post
Share on other sites

Thanks. fyi... I had to remove Symantec and Avira to get Kaspersky to work. My firewall still will not come on. Here are the logs...

OTL

All processes killed

========== FILES ==========

File\Folder C:\WINDOWS\system32\tugivugi.dll not found.

C:\RECYCLER\S-1-5-21-1844237615-789336058-1801674531-500\Dc1.VAULT$ folder moved successfully.

C:\RECYCLER\S-1-5-21-1844237615-789336058-1801674531-500 folder moved successfully.

C:\RECYCLER\S-1-5-21-1844237615-789336058-1801674531-1004 folder moved successfully.

C:\RECYCLER folder moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\MwDDfUmercFUzz deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Aaron

->Temp folder emptied: 1468066891 bytes

->Temporary Internet Files folder emptied: 14588081 bytes

->Java cache emptied: 67740934 bytes

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 114755 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 3334068 bytes

%systemroot%\System32 .tmp files removed: 168977 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10950078 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 154406 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,493.00 mb

Restore point Set: OTL Restore Point (64424509440)

OTL by OldTimer - Version 3.1.28.0 log created on 02062010_213339

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

KASPERSKY...

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, February 11, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, February 11, 2010 05:52:11

Records in database: 3472342

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

Scan statistics:

Objects scanned: 60019

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 04:56:05

No threats found. Scanned area is clean.

Selected area has been scanned.

CHECKUP...

screen317's Security Check version 0.99.1

Windows XP Service Pack 3 (UAC is disabled!)

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Microsoft Windows OneCare Live v2.5.2900.24 Idcrl Install

``````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 18

Java Auto Updater

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 9.1

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

@ablake06

If you truly un-installed your antivirus, and you did not re-install it ......

Job 1 right now is to install it ! My vote would be to install Avira (unless you paid for Symantec and the subscription is current).

Confirm having installed your antivirus.

and make sure you only install ONE AV.

(and I hope you simply mis-spoke when you said you un-installed)

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not ablake06 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

Get & save, then run Microsoft OneCare Uninstall Cleanup Tool

http://download.microsoft.com/download/4/c...CareCleanUp.exe

Next, logoff and restart fresh

Step 2 - check on firewall, do following, and keep going with next steps

To turn on the Internet Connection Firewall in Windows XP

Click Start, and click Control Panel.

Click Network and Internet Connections.

If you do not see Network and Internet Connections, click Switch to Category View.

Click Change Windows Firewall Settings.

Select On.

Click OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

To disable Avira real-time guard: Right-click the Avira AntiVir icon in the sys notification area. You would see a checkmark on "AntiVir guard enable". Click the line once to clear the checkmark.

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe {red lion icon} & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

To re-enable Avira real-time guard: Right-click the Avira AntiVir icon in the sys notification area. Click once on "AntiVir guard enable" to re-activate.

Reply with copy of C:\Combofix.txt for my review

As to the "slow pc" issues, here's a number of guides on the issue that you should study & follow.

If we do not find residual malwares, that is what I'd likely urge you to follow.

Here are some recommended articles:

What to do if your Computer is running slowly

http://www.malwareremoval.com/tutorials/runningslowly.php

See Quietman7's Slow Computer/browser? Check Here First

http://www.bleepingcomputer.com/forums/topic87058.html

See Miekiemoes' Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

See Jim Eshelman's Computer Health

http://aumha.org/a/health.htm

Slow Computer/Browser: Check here first!

http://www.bleepingcomputer.com/forums/topic44694.html

Link to post
Share on other sites

Hello,

Attached is my Combofix log.

-------------------------------

ComboFix 10-02-18.07 - Aaron 02/18/2010 22:09:37.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.320.127 [GMT -6:00]

Running from: c:\downloads\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Aaron\Application Data\Messenger

c:\program files\IEToolbar

c:\program files\IEToolbar\ECO Bar\basis.xml

c:\program files\IEToolbar\ECO Bar\icons.bmp

c:\program files\IEToolbar\ECO Bar\info.txt

c:\program files\IEToolbar\ECO Bar\uninstall.exe

c:\program files\IEToolbar\ECO Bar\version.txt

c:\program files\IEToolbar\ECO Bar\your_logo.png

c:\temp\1cb

c:\temp\1cb\syscheck.log

c:\temp\tn3

c:\windows\system32\j3

c:\windows\system32\ovilewuw.ini

c:\windows\system32\service

c:\windows\system32\service\19032009_TIS17_SfFniAU.log

c:\windows\system32\service\26032009_TIS17_SfFniAU.log

.

((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))

.

2010-02-19 03:51 . 2010-02-19 03:52 -------- d-----w- C:\WINSSLog

2010-02-11 13:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-02-11 13:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-02-11 13:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-02-11 13:26 . 2010-02-11 13:26 -------- d-----w- c:\program files\Avira

2010-02-11 13:26 . 2010-02-11 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-02-07 03:56 . 2010-02-07 03:56 348160 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26052549-n\msvcr71.dll

2010-02-07 03:56 . 2010-02-07 03:56 503808 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26052549-n\msvcp71.dll

2010-02-07 03:56 . 2010-02-07 03:56 499712 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26052549-n\jmc.dll

2010-02-07 03:56 . 2010-02-07 03:56 61440 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76234a0b-n\decora-sse.dll

2010-02-07 03:56 . 2010-02-07 03:56 12800 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76234a0b-n\decora-d3d.dll

2010-02-07 03:56 . 2010-02-07 03:56 -------- d-----w- c:\program files\Common Files\Java

2010-02-07 03:33 . 2010-02-07 03:33 -------- d-----w- C:\_OTL

2010-02-05 01:07 . 2010-02-05 01:07 388096 ----a-r- c:\documents and settings\Aaron\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-05 01:07 . 2010-02-05 01:07 -------- d-----w- c:\program files\TrendMicro

2010-02-04 04:15 . 2010-02-04 04:15 -------- d-----w- c:\program files\iPod

2010-02-04 04:14 . 2010-02-04 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-02-03 01:41 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-03 01:40 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-03 01:40 . 2010-02-03 03:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-23 01:51 . 2010-01-23 01:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-18 06:35 . 2008-10-14 07:12 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-15 17:56 . 2008-11-07 13:46 -------- d-----w- c:\documents and settings\Aaron\Application Data\Yahoo!

2010-02-12 05:34 . 2008-10-13 02:45 -------- d-----w- c:\documents and settings\Aaron\Application Data\LimeWire

2010-02-12 02:33 . 2008-11-23 09:05 -------- d-----w- c:\program files\QuickTime

2010-02-10 03:52 . 2008-11-18 01:27 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-10 03:51 . 2009-08-16 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-02-10 03:32 . 2009-09-15 07:47 -------- d-----w- c:\program files\Roxio

2010-02-07 03:55 . 2009-04-22 01:43 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-04 04:20 . 2008-11-23 09:09 -------- d-----w- c:\program files\iTunes

2010-02-04 04:15 . 2008-10-14 06:56 -------- d-----w- c:\program files\Common Files\Apple

2010-02-03 01:43 . 2009-03-27 21:21 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes

2010-02-03 01:40 . 2009-03-27 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-02 03:56 . 2008-10-12 23:44 -------- d-----w- c:\program files\LimeWire

2010-02-02 03:45 . 2008-10-13 02:38 -------- d-----w- c:\program files\Google

2010-02-02 03:37 . 2009-04-03 04:23 -------- d-----w- c:\documents and settings\Aaron\Application Data\SUPERAntiSpyware.com

2010-02-02 03:35 . 2008-10-13 02:37 -------- d-----w- c:\program files\Java

2010-02-02 03:26 . 2009-12-28 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions

2010-01-17 00:42 . 2010-01-16 00:41 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-16 16:20 . 2009-12-11 18:30 79488 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-01-13 04:44 . 2010-01-13 04:44 85904 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-13 04:40 . 2009-04-03 05:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-01-13 03:45 . 2009-10-19 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-01-13 03:40 . 2009-10-02 06:26 -------- d-----w- c:\documents and settings\Aaron\Application Data\GetRightToGo

2010-01-13 03:19 . 2009-09-20 18:37 -------- d-----w- c:\program files\Music Liberator 5.5

2009-12-31 16:50 . 2002-08-29 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-28 19:00 . 2009-12-28 19:00 -------- d-----w- c:\documents and settings\Aaron\Application Data\WindSolutions

2009-12-28 18:54 . 2009-12-28 18:08 -------- d-----w- c:\documents and settings\Aaron\Application Data\Music Liberator

2009-12-21 19:14 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-04-19 04:41 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 2002-08-29 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2002-08-29 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2002-08-29 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2002-08-29 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2002-08-29 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2002-08-29 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-21 15:51 . 2002-08-29 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-04-09 04:05 . 2009-04-09 04:05 74302760 ----a-w- c:\program files\iTunesSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]

"nwiz"="nwiz.exe" [2003-07-28 323584]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]

"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16722:TCP"= 16722:TCP:BitComet 16722 TCP

"16722:UDP"= 16722:UDP:BitComet 16722 UDP

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/11/2010 7:26 AM 108289]

S3 AVSNDISIM;AVSNDISIM Service;c:\windows\system32\DRIVERS\AVSNDISIMDriver.sys --> c:\windows\system32\DRIVERS\AVSNDISIMDriver.sys [?]

S3 AVSNDISIMMP;AVSNDISIMMP;c:\windows\system32\DRIVERS\AVSNDISIMDriver.sys --> c:\windows\system32\DRIVERS\AVSNDISIMDriver.sys [?]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2/19/2009 9:09 AM 2944]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2/19/2009 9:09 AM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2/19/2009 9:09 AM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/19/2009 9:08 AM 10368]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [7/14/2009 8:15 PM 42112]

S3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys --> c:\windows\system32\drivers\vad.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.att.net/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-18 22:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1692)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\nvsvc32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2010-02-18 22:39:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-19 04:39

Pre-Run: 76,438,237,184 bytes free

Post-Run: 76,367,097,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - BFB2ADD9FAD0ED08D235DDA07EA80DDB

Link to post
Share on other sites

Your logs showed some peer-to-peer filesharing apps: Limewire & BitComet.

Remove them, along with any other P-2-P program before we continue, and confirm having done so.

I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It is also forum policy to not support cases having P-2P programs.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.