Jump to content

Google redirect and fsharproj


Recommended Posts

Last Wednesday I "acquired" a Google redirect virus. This or something else seems to have loaded a lot of nasty stuff onto my computer, including something that blocked Avira from being updated. I normally run Avira constantly and run Malware Bytes frequently when I think I've been exposed. Unfortunately I did the stupid thing of turning Avira off because I thought it was making the computer really slow. I ran defogger on Thursday and have left CD emulation disabled. I have finally been able to update Avira (by removing it with the control panel, running an Avira key cleaner, and doing a fresh install). Since reloading Avira (a newer version) it has been periodically blocking attempts to access file D:\Autorun.inf. My D: partition was created by HP and only contains a copy of the operating system.

After running both Malwarebytes and Avira repeatedly and alternately I have finally achieved a clean Avira scan and a nearly clean Malwarebytes scan - it still shows fsharproj and it either fails to remove it, or it gets reloaded right away. I still have the Google redirect problem, but I stopped using it and removed it as my home page.

So I need to fix the redirect problem plus whatever is making fsharproj persist.

I've attached the requested logs, but after running GMER for many, many hours my computer rebooted itself and ran chkdsk - losing the file. I'm not sure what kind of problem caused that.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6899

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/20/2011 11:47:14 AM

mbam-log-2011-06-20 (11-47-14).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 377754

Time elapsed: 7 hour(s), 44 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by Owner at 12:51:05 on 2011-06-20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.158 [GMT -7:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\VTTimer.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Bar =

uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: {014f2dca-54a8-4544-8766-9c98a03a343f} - c:\windows\system32\Audio3D32.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: 3033dba9: {1d4be1cf-7ea5-a953-5c94-a43862a54cf4} - c:\windows\system32\ialmrnt532.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: {A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [YBrowser] c:\program files\yahoo!\browser\ybrwicon.exe

mRun: [VTTimer] VTTimer.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPHmon05] c:\windows\system32\hphmon05.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

Trusted Zone: ameritrade.com

Trusted Zone: tdameritrade.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll

DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{B2EEDFB1-1EF7-44DD-8F85-306238AD1952} : DhcpNameServer = 192.168.1.254

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: WRNotifier - WRLogonNTF.dll

AppInit_DLLs: c:\windows\system32\ialmrnt532.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\ntdc9exx.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: XUL Cache: {5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85} - %profile%\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}

FF - Ext: XUL Cache: {c975d69b-e210-42b7-8a5f-8608722e8308} - %profile%\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}

FF - Ext: XUL Cache: {d0bcf974-8ea8-4ac6-8023-304c7ed641dd} - %profile%\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}

FF - Ext: XUL Cache: {ed16464e-0040-4e7a-beb3-bf8b3ddefcf2} - %profile%\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}

FF - Ext: XUL Cache: {8c6c368f-56a9-469e-9bb9-998825f424c8} - %profile%\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}

FF - Ext: XUL Cache: {e447c891-0f34-46b9-9d3f-ba7281df68fe} - %profile%\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}

FF - Ext: XUL Cache: {2b747b40-3541-447d-99a1-54a43eb308a9} - %profile%\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}

FF - Ext: XUL Cache: {47e7afaa-e0ac-4478-acbb-357913237b1a} - %profile%\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}

FF - Ext: XUL Cache: {504a38b5-1a04-41b3-bc96-c53e4f2e37ca} - %profile%\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}

FF - Ext: XUL Cache: {43467305-1718-458f-9a8c-2dcac370f6d5} - %profile%\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}

FF - Ext: XUL Cache: {5d069a26-f1db-4a26-adb1-094ee03e9ea5} - %profile%\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-17 11608]

R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [2004-12-16 49628]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-17 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-17 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-17 61960]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-13 136176]

S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [2002-7-1 95232]

S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2004-11-20 17976]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-13 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-8-9 39984]

.

=============== File Associations ===============

.

regfile=regedit.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-06-18 04:24:37 -------- d-----w- c:\documents and settings\owner\application data\Avira

2011-06-18 04:11:31 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-18 04:10:52 -------- d-----w- c:\program files\Avira

2011-06-18 04:10:52 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-06-18 03:46:00 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5

2011-06-15 04:42:35 0 ---ha-w- c:\documents and settings\owner\ixgketsqzg.tmp

2011-06-14 21:16:15 -------- d-----w- c:\windows\system32\NtmsData

2011-06-13 09:51:26 167936 ----a-w- c:\windows\system32\ialmrnt532.dll

2011-06-13 09:50:35 365056 ----a-w- c:\windows\system32\Audio3D32.dll

.

==================== Find3M ====================

.

2011-05-29 16:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 12:54:09.01 ===============

attach.zip

Link to post
Share on other sites

Hi and :welcome:

That looks like some bad Firefox extensions.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Thanks, Elise - I was beginning to feel overlooked...

I ran combofix - It sure seems to do a lot of stuff. I haven't checked to see if my original problems are gone yet, but Internet Explorer didn't want to open, although Mozella opened right up. IE finally opened on the third try.

Thanks for your help - it looks like my computer had a lot of garbage on it, in spite of running two different virus programs. Doug

Here is the log:

ComboFix 11-06-22.02 - Owner 06/22/2011 22:40:52.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.136 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner\Application Data\Microsoft\~DFK1dc1551.tmp

c:\documents and settings\Owner\Application Data\Microsoft\1eaadjc.dll

c:\documents and settings\Owner\Application Data\Microsoft\bass.dll

c:\documents and settings\Owner\Application Data\Microsoft\kfgresk.dll

c:\documents and settings\Owner\Application Data\Microsoft\mjcriu.dll

c:\documents and settings\Owner\Application Data\Microsoft\peaadje.dll

c:\documents and settings\Owner\Application Data\Microsoft\qwadjb.dll

c:\documents and settings\Owner\Application Data\Microsoft\rsaadjd.dll

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\install.rdf

c:\documents and settings\Owner\jaudioMp3Win.tar

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc3C.tmp

c:\documents and settings\Owner\RedSwoosh-2.115-115.dll

c:\documents and settings\Owner\WINDOWS

c:\program files\CleanUp

c:\program files\CleanUp\Help\English.Resident.chm

c:\program files\CleanUp\HijackThis\HijackThis.exe

c:\program files\CleanUp\Includes\Adware.sbi

c:\program files\CleanUp\Includes\AdwareC.sbi

c:\program files\CleanUp\Includes\DialerC.sbi

c:\program files\CleanUp\Includes\HeavyDuty.sbi

c:\program files\CleanUp\Includes\HijackersC.sbi

c:\program files\CleanUp\Includes\KeyloggersC.sbi

c:\program files\CleanUp\Includes\MalwareC.sbi

c:\program files\CleanUp\Includes\PUPS.sbi

c:\program files\CleanUp\Includes\PUPSC.sbi

c:\program files\CleanUp\Includes\SecurityC.sbi

c:\program files\CleanUp\Includes\Services.sbs

c:\program files\CleanUp\Includes\SpybotsC.sbi

c:\program files\CleanUp\Includes\Spyware.sbi

c:\program files\CleanUp\Includes\SpywareC.sbi

c:\program files\CleanUp\Includes\TrojansC.sbi

c:\program files\CleanUp\Plugins\TCPIPAddress.dll

c:\program files\CleanUp\Updates\advcheck.zip

c:\program files\CleanUp\Updates\clsid.zip

c:\program files\CleanUp\Updates\help.english.zip

c:\program files\CleanUp\Updates\helpres.english.zip

c:\program files\CleanUp\Updates\includes.zip

c:\program files\CleanUp\Updates\lang.english.zip

c:\program files\CleanUp\Updates\mainapp160.zip

c:\program files\CleanUp\Updates\online.ini

c:\program files\CleanUp\Updates\plugtcpip.zip

c:\program files\CleanUp\Updates\sbsd160upd.exe

c:\program files\CleanUp\Updates\startup.zip

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\klnmp.bak1

c:\windows\system32\klnmp.bak2

c:\windows\system32\klnmp.ini

c:\windows\system32\klnmp.tmp

D:\Autorun.inf

.

----- BITS: Possible infected sites -----

.

hxxp://au.downloj+|Cv+@J:NGD_DQ{zcxLJS@5dBt+fj.WU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHMs

hxxp://a

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_ZESOFT

.

.

((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))

.

.

2011-06-23 02:17 . 2011-06-23 02:17 -------- d-----w- C:\7dea6ba6796f9aaaffcde647872d

2011-06-22 04:46 . 2011-06-22 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10

2011-06-22 04:40 . 2011-06-22 04:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-06-22 04:30 . 2011-06-23 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2011-06-22 04:27 . 2011-06-22 04:27 -------- d-----w- c:\program files\AVG

2011-06-22 04:16 . 2011-06-23 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-06-18 04:24 . 2011-06-18 04:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2011-06-18 04:11 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-18 04:11 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-18 04:11 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-18 04:11 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\program files\Avira

2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-18 03:46 . 2011-06-18 03:46 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5

2011-06-15 04:42 . 2011-06-15 04:42 0 ---ha-w- c:\documents and settings\Owner\ixgketsqzg.tmp

2011-06-14 21:16 . 2011-06-23 00:04 -------- d-----w- c:\windows\system32\NtmsData

2011-06-13 09:51 . 2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll

2011-06-13 09:50 . 2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 16:11 . 2008-08-10 05:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11 . 2008-08-10 05:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-02 15:31 . 2003-03-04 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-05-20 17:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-05-20 17:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-05-20 17:31 105472 ----a-w- c:\windows\system32\drivers\mup.sys

1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014F2DCA-54A8-4544-8766-9C98A03A343f}]

2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4BE1CF-7EA5-A953-5C94-A43862A54CF4}]

2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]

"VTTimer"="VTTimer.exe" [2005-03-08 53248]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-11-20 135680]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\ialmrnt532.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2003-02-12 03:02 61440 ----a-w- c:\hp\KBD\kbd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2006-11-20 20:55 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"AntiVirService"=2 (0x2)

"AntiVirSchedulerService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\ijji\\ENGLISH\\u_gbound.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Age Of Empires II\\empires2.EXE"=

"c:\\Program Files\\Age Of Empires II\\age2_x1.exe"=

"c:\\Program Files\\Apprentice\\Appr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Infogrames Interactive\\Civilization III\\Conquests\\Civ3Conquests.exe"=

"c:\\Program Files\\Gunbound\\GunboundRV\\Gunbound Revolution\\GunBound.gme"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LieroX\\LieroX v0.56 Pack 1.8\\LieroX.exe"=

"c:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Dynamix\\Tribes2\\GameData\\Tribes2.exe"=

"c:\\Program Files\\WoS\\Souls.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh

"23400:TCP"= 23400:TCP:*:Disabled:LieroX

"23400:UDP"= 23400:UDP:*:Disabled:Liero2

"5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [12/16/2004 1:58 AM 49628]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2011 9:11 PM 136360]

S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 7:30 PM 95232]

S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [11/20/2004 8:24 PM 17976]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/9/2008 10:10 PM 39984]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17]

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: ameritrade.com

Trusted Zone: tdameritrade.com

TCP: DhcpNameServer = 192.168.1.254

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - (no file)

HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE

HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe

MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe

AddRemove-36317AE4-57EC-4F3E-B828-009A3DD96BE8 - c:\program files\WildTangent\Apps\GameChannel\Games\36317AE4-57EC-4F3E-B828-009A3DD96BE8\Uninstall.exe

AddRemove-62067F4C-84A9-45B9-8573-B90468B0A3EF - c:\program files\WildTangent\Apps\GameChannel\Games\62067F4C-84A9-45B9-8573-B90468B0A3EF\Uninstall.exe

AddRemove-6723E59E-322A-417A-8E03-27A61E18253C - c:\program files\WildTangent\Apps\GameChannel\Games\6723E59E-322A-417A-8E03-27A61E18253C\Uninstall.exe

AddRemove-8461-7759-5462-8226 - c:\bluimg\azureus\uninstall.exe

AddRemove-8C4E79CC-03E1-43AA-9910-9A5113F24603 - c:\program files\WildTangent\Apps\GameChannel\Games\8C4E79CC-03E1-43AA-9910-9A5113F24603\Uninstall.exe

AddRemove-Ant War - c:\progra~1\ANTWAR~1\UNWISE.EXE

AddRemove-B8610D19-E576-4F91-8A2F-07898D9CA301 - c:\program files\WildTangent\Apps\GameChannel\Games\B8610D19-E576-4F91-8A2F-07898D9CA301\Uninstall.exe

AddRemove-Battle Chess II - Chinese Chess - c:\program files\Interplay Productions\Battle Chess II - Chinese Chess\Uninst.isu

AddRemove-Battle for Wesnoth_is1 - c:\program files\Wesnoth developmental\1-5-0\unins000.exe

AddRemove-BFBCBAE3-8293-4215-9C4F-C2402C118EDB - c:\program files\WildTangent\Apps\GameChannel\Games\BFBCBAE3-8293-4215-9C4F-C2402C118EDB\Uninstall.exe

AddRemove-C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A - c:\program files\WildTangent\Apps\GameChannel\Games\C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A\Uninstall.exe

AddRemove-CampGen_is1 - c:\program files\Wesnoth developmental\CampGen\unins000.exe

AddRemove-D11F7128-8CBD-408B-8BF8-034604DEDD42 - c:\program files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe

AddRemove-DA44615A-C243-46A4-8E47-184CFF33CD38 - c:\program files\WildTangent\Apps\GameChannel\Games\DA44615A-C243-46A4-8E47-184CFF33CD38\Uninstall.exe

AddRemove-DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292 - c:\program files\WildTangent\Apps\GameChannel\Games\DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292\Uninstall.exe

AddRemove-E28167F1-3F42-40C7-9119-1D5A97444F10 - c:\program files\WildTangent\Apps\GameChannel\Games\E28167F1-3F42-40C7-9119-1D5A97444F10\Uninstall.exe

AddRemove-F5215F01-DFC0-475D-A910-6F1AF94E807E - c:\program files\WildTangent\Apps\GameChannel\Games\F5215F01-DFC0-475D-A910-6F1AF94E807E\Uninstall.exe

AddRemove-Final Fantasy VII - c:\program files\Square Soft

AddRemove-FlashBoot_is1 - c:\bluimg\FlashBoot\unins000.exe

AddRemove-LSI Soft Modem - c:\windows\agrsmdel

AddRemove-PE Builder_is1 - c:\bluimg\pebuilder3110a\unins000.exe

AddRemove-SBC Self Support Tool - c:\docume~1\Owner\LOCALS~1\Temp\SST\CustomUninstall.exe

AddRemove-Wesnoth_is1 - c:\program files\Wesnoth stable\unins000.exe

AddRemove-WinImage - c:\blusentinal image tools\winimage\winimage.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-22 23:12

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(540)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\agrsmsvc.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\VTTimer.exe

c:\windows\ALCXMNTR.EXE

c:\windows\AGRSMMSG.exe

.

**************************************************************************

.

Completion time: 2011-06-22 23:39:37 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-23 06:39

.

Pre-Run: 42,522,517,504 bytes free

Post-Run: 42,564,423,680 bytes free

.

- - End Of File - - 0A3CFD7AC632D1A968AF945357FA37AE

Link to post
Share on other sites

Hi again,

TWO ANTIVIRUS PROGRAMS

---------------------------------------

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either AVG or Avira.

CF-SCRIPT

-------------

Open notepad and copy/paste the text in the quotebox below into it:

<http://forums.malwarebytes.org/index.php?/topic/87805-google-redirect-and-fsharproj/page__view__findpost__p__444570>

Collect::
c:\windows\system32\ialmrnt532.dll
c:\windows\system32\Audio3D32.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014F2DCA-54A8-4544-8766-9C98A03A343f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4BE1CF-7EA5-A953-5C94-A43862A54CF4}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Elise - I agree - AVG and Avira did not play nicely together. I had hoped to be able to disable AVG's guard function and just use it as another trojan finder - but it (at least the free version) would not allow that. It found two trojans that neither Avira or Malwarebytes found. Combofix refused to run while it was installed so it was actually uninstalled before the first Combofix report. I do have Malware Bytes installed and it plays well with Avira. I won't bother with AVG again.

I ran what you requested and the log is below. Combofix upgraded to a newer version before I ran it.

Thank you for your help - I was very frustrated.

Doug

ComboFix 11-06-23.01 - Owner 06/23/2011 13:09:07.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.211 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt.lnk

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\install.rdf

.

.

((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))

.

.

2011-06-23 02:17 . 2011-06-23 11:24 -------- d-----w- C:\7dea6ba6796f9aaaffcde647872d

2011-06-22 04:46 . 2011-06-22 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10

2011-06-22 04:40 . 2011-06-22 04:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-06-22 04:30 . 2011-06-23 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2011-06-22 04:27 . 2011-06-22 04:27 -------- d-----w- c:\program files\AVG

2011-06-22 04:16 . 2011-06-23 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-06-18 04:24 . 2011-06-18 04:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2011-06-18 04:11 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-18 04:11 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-18 04:11 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-18 04:11 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\program files\Avira

2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-18 03:46 . 2011-06-23 11:24 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5

2011-06-15 04:42 . 2011-06-15 04:42 0 ---ha-w- c:\documents and settings\Owner\ixgketsqzg.tmp

2011-06-14 21:16 . 2011-06-23 00:04 -------- d-----w- c:\windows\system32\NtmsData

2011-06-13 09:51 . 2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll

2011-06-13 09:50 . 2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 16:11 . 2008-08-10 05:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11 . 2008-08-10 05:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-02 15:31 . 2003-03-04 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-05-20 17:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-05-20 17:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-05-20 17:31 105472 ----a-w- c:\windows\system32\drivers\mup.sys

1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014F2DCA-54A8-4544-8766-9C98A03A343f}]

2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4BE1CF-7EA5-A953-5C94-A43862A54CF4}]

2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]

"VTTimer"="VTTimer.exe" [2005-03-08 53248]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-11-20 135680]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\ialmrnt532.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2006-11-20 20:55 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"AntiVirService"=2 (0x2)

"AntiVirSchedulerService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Age Of Empires II\\age2_x1.exe"=

"c:\\Program Files\\Apprentice\\Appr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LieroX\\LieroX v0.56 Pack 1.8\\LieroX.exe"=

"c:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\WoS\\Souls.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh

"23400:TCP"= 23400:TCP:*:Disabled:LieroX

"23400:UDP"= 23400:UDP:*:Disabled:Liero2

"5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [12/16/2004 1:58 AM 49628]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2011 9:11 PM 136360]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2010 12:17 AM 136176]

S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 7:30 PM 95232]

S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [11/20/2004 8:24 PM 17976]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2010 12:17 AM 136176]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17]

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: ameritrade.com

Trusted Zone: tdameritrade.com

TCP: DhcpNameServer = 192.168.1.254

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-KBD - c:\hp\KBD\KBD.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-23 13:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2011-06-23 13:39:19

ComboFix-quarantined-files.txt 2011-06-23 20:39

ComboFix2.txt 2011-06-23 06:39

.

Pre-Run: 45,486,866,432 bytes free

Post-Run: 45,482,061,824 bytes free

.

- - End Of File - - 2549C7EA5C004DB62813BE0BA18DA1F9

Link to post
Share on other sites

I tried Google - and it was initially okay, but soon reverted to redirections. I ran a Malwarebytes scan and it still found fsharproj. On the good side, the computer seems to be running a little faster and cleaner than it has recently. Here is the mbam file:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6932

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/23/2011 11:19:46 PM

mbam-log-2011-06-23 (23-19-46).txt

Scan type: Quick scan

Objects scanned: 167005

Time elapsed: 24 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Okay - here is the new combofix log:

ComboFix 11-06-24.02 - Owner 06/24/2011 11:19:17.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.171 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

file zipped: c:\windows\system32\Audio3D32.dll

file zipped: c:\windows\system32\ialmrnt532.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\install.rdf

c:\windows\system32\Audio3D32.dll

c:\windows\system32\ialmrnt532.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))

.

.

2011-06-23 02:17 . 2011-06-23 11:24 -------- d-----w- C:\7dea6ba6796f9aaaffcde647872d

2011-06-22 04:46 . 2011-06-22 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10

2011-06-22 04:40 . 2011-06-22 04:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-06-22 04:30 . 2011-06-23 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2011-06-22 04:27 . 2011-06-22 04:27 -------- d-----w- c:\program files\AVG

2011-06-22 04:16 . 2011-06-23 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-06-18 04:24 . 2011-06-18 04:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2011-06-18 04:11 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-18 04:11 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-18 04:11 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-18 04:11 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\program files\Avira

2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-18 03:46 . 2011-06-23 11:24 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5

2011-06-15 04:42 . 2011-06-15 04:42 0 ---ha-w- c:\documents and settings\Owner\ixgketsqzg.tmp

2011-06-14 21:16 . 2011-06-24 14:02 -------- d-----w- c:\windows\system32\NtmsData

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 16:11 . 2008-08-10 05:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11 . 2008-08-10 05:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-02 15:31 . 2003-03-04 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-05-20 17:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-05-20 17:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-05-20 17:31 105472 ----a-w- c:\windows\system32\drivers\mup.sys

1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]

"VTTimer"="VTTimer.exe" [2005-03-08 53248]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-11-20 135680]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2006-11-20 20:55 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"AntiVirService"=2 (0x2)

"AntiVirSchedulerService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Age Of Empires II\\age2_x1.exe"=

"c:\\Program Files\\Apprentice\\Appr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LieroX\\LieroX v0.56 Pack 1.8\\LieroX.exe"=

"c:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\WoS\\Souls.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh

"23400:TCP"= 23400:TCP:*:Disabled:LieroX

"23400:UDP"= 23400:UDP:*:Disabled:Liero2

"5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [12/16/2004 1:58 AM 49628]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2011 9:11 PM 136360]

S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 7:30 PM 95232]

S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [11/20/2004 8:24 PM 17976]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/9/2008 10:10 PM 39984]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17]

.

2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: ameritrade.com

Trusted Zone: tdameritrade.com

TCP: DhcpNameServer = 192.168.1.254

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-24 11:45

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1264)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\agrsmsvc.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\VTTimer.exe

c:\windows\ALCXMNTR.EXE

c:\windows\AGRSMMSG.exe

.

**************************************************************************

.

Completion time: 2011-06-24 12:05:37 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-24 19:05

ComboFix2.txt 2011-06-24 17:48

ComboFix3.txt 2011-06-23 20:39

ComboFix4.txt 2011-06-23 06:39

.

Pre-Run: 45,981,671,424 bytes free

Post-Run: 45,966,245,888 bytes free

.

- - End Of File - - 124AEDDBC1DDA2DFEC88666390E77849

Upload was successful

Link to post
Share on other sites

How are things running now? Does the redirect still return?

After a fair amount of googling - there is no redirect! fsharproj has similarly left the playing field and hasn't re-appeared. I have rebooted and re-scanned to make sure. Thank you for getting rid of these pesky critters.

I am somewhat dismayed by this Avira scan - but I may have picked them up from a bad site while testing google. Are "hidden" files automatically bad news?

Thanks, Doug

Link to post
Share on other sites

I am somewhat dismayed by this Avira scan - but I may have picked them up from a bad site while testing google. Are "hidden" files automatically bad news?

Avira AntiVir Personal

Report file date: Saturday, June 25, 2011 01:21

Scanning for 2825893 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : BOYSROOM

Version information:

BUILD.DAT : 10.0.0.650 31822 Bytes 6/17/2011 15:43:00

AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/2/2011 00:07:43

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/2/2011 00:07:57

LUKE.DLL : 10.0.3.2 104296 Bytes 4/2/2011 00:07:53

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 23:15:47

VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 23:15:47

VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 04:16:22

VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 04:16:30

VBASE005.VDF : 7.11.8.179 2048 Bytes 5/31/2011 04:16:30

VBASE006.VDF : 7.11.8.180 2048 Bytes 5/31/2011 04:16:30

VBASE007.VDF : 7.11.8.181 2048 Bytes 5/31/2011 04:16:31

VBASE008.VDF : 7.11.8.182 2048 Bytes 5/31/2011 04:16:31

VBASE009.VDF : 7.11.8.183 2048 Bytes 5/31/2011 04:16:31

VBASE010.VDF : 7.11.8.184 2048 Bytes 5/31/2011 04:16:32

VBASE011.VDF : 7.11.8.185 2048 Bytes 5/31/2011 04:16:32

VBASE012.VDF : 7.11.8.186 2048 Bytes 5/31/2011 04:16:32

VBASE013.VDF : 7.11.8.222 121856 Bytes 6/2/2011 04:16:32

VBASE014.VDF : 7.11.9.7 134656 Bytes 6/4/2011 04:16:33

VBASE015.VDF : 7.11.9.42 136192 Bytes 6/6/2011 04:16:34

VBASE016.VDF : 7.11.9.72 117248 Bytes 6/7/2011 04:16:34

VBASE017.VDF : 7.11.9.107 130560 Bytes 6/9/2011 04:16:35

VBASE018.VDF : 7.11.9.143 132096 Bytes 6/10/2011 04:16:36

VBASE019.VDF : 7.11.9.172 141824 Bytes 6/14/2011 04:16:37

VBASE020.VDF : 7.11.9.214 144896 Bytes 6/15/2011 04:16:37

VBASE021.VDF : 7.11.9.244 196608 Bytes 6/16/2011 04:16:39

VBASE022.VDF : 7.11.10.28 152576 Bytes 6/20/2011 03:55:58

VBASE023.VDF : 7.11.10.53 210432 Bytes 6/21/2011 03:55:58

VBASE024.VDF : 7.11.10.88 132096 Bytes 6/24/2011 09:16:23

VBASE025.VDF : 7.11.10.89 2048 Bytes 6/24/2011 09:16:23

VBASE026.VDF : 7.11.10.90 2048 Bytes 6/24/2011 09:16:23

VBASE027.VDF : 7.11.10.91 2048 Bytes 6/24/2011 09:16:24

VBASE028.VDF : 7.11.10.92 2048 Bytes 6/24/2011 09:16:24

VBASE029.VDF : 7.11.10.93 2048 Bytes 6/24/2011 09:16:24

VBASE030.VDF : 7.11.10.94 2048 Bytes 6/24/2011 09:16:24

VBASE031.VDF : 7.11.10.104 52224 Bytes 6/24/2011 08:18:40

Engineversion : 8.2.5.24

AEVDF.DLL : 8.1.2.1 106868 Bytes 3/28/2011 23:15:27

AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 6/18/2011 04:16:55

AESCN.DLL : 8.1.7.2 127349 Bytes 3/28/2011 23:15:27

AESBX.DLL : 8.2.1.34 323957 Bytes 6/18/2011 04:16:56

AERDL.DLL : 8.1.9.9 639347 Bytes 3/25/2011 19:21:38

AEPACK.DLL : 8.2.6.9 557429 Bytes 6/18/2011 04:16:53

AEOFFICE.DLL : 8.1.1.25 205178 Bytes 6/18/2011 04:16:52

AEHEUR.DLL : 8.1.2.132 3567992 Bytes 6/24/2011 09:16:30

AEHELP.DLL : 8.1.17.2 246135 Bytes 6/18/2011 04:16:44

AEGEN.DLL : 8.1.5.6 401780 Bytes 6/18/2011 04:16:44

AEEMU.DLL : 8.1.3.0 393589 Bytes 3/28/2011 23:15:19

AECORE.DLL : 8.1.21.1 196983 Bytes 6/18/2011 04:16:43

AEBB.DLL : 8.1.1.0 53618 Bytes 3/28/2011 23:15:19

AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/28/2011 23:15:31

AVPREF.DLL : 10.0.0.0 44904 Bytes 4/2/2011 00:07:42

AVREP.DLL : 10.0.0.10 174120 Bytes 6/18/2011 04:16:58

AVREG.DLL : 10.0.3.2 53096 Bytes 4/2/2011 00:07:42

AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/2/2011 00:07:43

AVARKT.DLL : 10.0.22.6 231784 Bytes 4/2/2011 00:07:38

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 4/2/2011 00:07:41

SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 22:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/28/2011 23:15:30

NETNT.DLL : 10.0.0.0 11624 Bytes 3/28/2011 23:15:39

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 4/2/2011 00:07:58

RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/28/2011 23:15:52

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Saturday, June 25, 2011 01:21

Starting search for hidden objects.

c:\windows\system32\ntmsdata\ntmsjrnl

c:\windows\system32\ntmsdata\ntmsjrnl

[NOTE] The file is not visible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'msdtc.exe' - '42' Module(s) have been scanned

Scan process 'dllhost.exe' - '63' Module(s) have been scanned

Scan process 'dllhost.exe' - '47' Module(s) have been scanned

Scan process 'vssvc.exe' - '50' Module(s) have been scanned

Scan process 'avscan.exe' - '72' Module(s) have been scanned

Scan process 'avcenter.exe' - '64' Module(s) have been scanned

Scan process 'svchost.exe' - '41' Module(s) have been scanned

Scan process 'ctfmon.exe' - '27' Module(s) have been scanned

Scan process 'avgnt.exe' - '47' Module(s) have been scanned

Scan process 'AGRSMMSG.exe' - '21' Module(s) have been scanned

Scan process 'ALCXMNTR.EXE' - '33' Module(s) have been scanned

Scan process 'hpcmpmgr.exe' - '41' Module(s) have been scanned

Scan process 'hphmon05.exe' - '25' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '16' Module(s) have been scanned

Scan process 'ps2.exe' - '21' Module(s) have been scanned

Scan process 'ybrwicon.exe' - '27' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'avshadow.exe' - '28' Module(s) have been scanned

Scan process 'HPZipm12.exe' - '20' Module(s) have been scanned

Scan process 'McciCMService.exe' - '29' Module(s) have been scanned

Scan process 'SAgent2.exe' - '30' Module(s) have been scanned

Scan process 'avguard.exe' - '57' Module(s) have been scanned

Scan process 'agrsmsvc.exe' - '13' Module(s) have been scanned

Scan process 'svchost.exe' - '37' Module(s) have been scanned

Scan process 'sched.exe' - '55' Module(s) have been scanned

Scan process 'spoolsv.exe' - '65' Module(s) have been scanned

Scan process 'Explorer.EXE' - '117' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'svchost.exe' - '172' Module(s) have been scanned

Scan process 'svchost.exe' - '42' Module(s) have been scanned

Scan process 'svchost.exe' - '53' Module(s) have been scanned

Scan process 'lsass.exe' - '60' Module(s) have been scanned

Scan process 'services.exe' - '29' Module(s) have been scanned

Scan process 'winlogon.exe' - '69' Module(s) have been scanned

Scan process 'csrss.exe' - '16' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '2194' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>

C:\Qoobox\Quarantine\C\WINDOWS\system32\Audio3D32.dll.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030554.dll

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030554.dll

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '4727ae44.qua'.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Audio3D32.dll.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '5fec8038.qua'.

End of the scan: Saturday, June 25, 2011 09:19

Used time: 5:06:00 Hour(s)

The scan has been done completely.

18480 Scanned directories

820247 Files were scanned

2 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

2 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

820245 Files not concerned

22892 Archives were scanned

0 Warnings

4 Notes

772775 Objects were scanned with rootkit scan

2 Hidden objects were found

Link to post
Share on other sites

Hi again,

No that is nothing to worry about. :) Your Avira log looks clean.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 26 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-6u26-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Wow! I mean: WOW!!! What is this tool and how can it find all these things that the others didn't? I haven't deleted these files yet - just in case there are any false detections. I'm assuming Qoobox is the quarantine files from the previous tool? Should I delete these files?

I updated Java and Adobe which is good - I want to get the system as bulletproof as possible. Java installed jqs.exe again and I want to disable it. I want all of the automatic updates disabled so I know what is going on. I'm REALLY tired of unexplained, unidentified activity suddenly taking over the computer. The Adobe updater is as bad as a virus. Avira isn't much better.

I have an artifact in the control panel from "Red Swoosh" that I would like to get rid of. The target directory seems to be deleted, but I can't figure out how to remove the icon from control panel.

This computer has been used by my kids (they now have their own and are banned). I would like to remove all of their games (particularly the online interactive ones) and any file sharing programs they may have installed.

Thank you very much for directing me on this - obviously I was out of my depth with the hidden viruses.

C:\Documents and Settings\Owner\My Documents\My Downloads\Gunbound_GIS_WC_518.exe probably a variant of Win32/Agent.GTZDBXT trojan deleted - quarantined

C:\Downloads\AgeOfCastles_Setup-dm[1].exe a variant of Win32/Adware.Trymedia application cleaned by deleting - quarantined

C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined

C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\[4]-Submit_2011-06-24_11.19.03.zip a variant of Win32/Kryptik.OKQ trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{25ee2c34-16fb-4cb2-b32e-4dbc1298f127}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{25ee2c34-16fb-4cb2-b32e-4dbc1298f127}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8d61d86d-100c-4b04-83b1-077e18540ae0}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8d61d86d-100c-4b04-83b1-077e18540ae0}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak1.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.tmp.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP403\A0023571.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP404\A0023645.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP404\A0023788.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP405\A0023929.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP407\A0024330.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP408\A0024358.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP409\A0025382.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP410\A0025390.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP413\A0025978.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP414\A0026070.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP414\A0027089.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP417\A0027121.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP418\A0028113.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP419\A0028161.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028451.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028452.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028453.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028454.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028455.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028456.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028457.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028458.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028459.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028460.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028461.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028462.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028468.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP422\A0028736.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0029633.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0029880.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0030346.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0030357.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030377.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030464.exe probably a variant of Win32/Agent.BWFKHA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030481.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0031625.exe a variant of Win32/Adware.Trymedia application cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0031626.exe Win32/PrcView application cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0031627.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined

C:\WINDOWS\pss\PowerReg Scheduler.exeStartup Win32/PowerReg application cleaned by deleting - quarantined

Link to post
Share on other sites

Although the system generally seems a bit snappier (considerably so since I installed another memory stick today) the problem that led me to turn off avira guard and get infected with a lot of this malware to begin with persists: When I watch Netflix - the image is jumpy and the sound gets out of sync. I've talked to Netflix support and they claim it is because my CPU is running at maximum. They told me that Microsoft Silverwhatever requires a 1.2Mhz processor and 512 RAM. I had one 512 stick in and just put in a second one today (maxes my bios). My CPU runs at 2.2Mhz. Yet the picture and sound is still terrible. I did not used to have this problem - it used to be fine (before Silverwhatever). Clearly my internet connection isn't the bottleneck as the loading always leads the playback considerably.

I continue to think that something is consuming resources. Even when the system should be completely quiet - nothing obviously running or loaded there is a constant low level of CPU usage, I/O activity and disk access. When I check processes -lsass, csrss, avgnt and avguard are all clicking away at around 300k I/O every couple of seconds. This doesn't strike me as "normal".

Can you help with this?

Link to post
Share on other sites

Hi, lets address all your concerns here. :)

First of all, the ESET results: almost all objects were either in quarantine or system restore. The few that were not are mostly harmless. In other words nothing to worry about.

Next, while I understand your reluctance to let all updaters running, I recommend to let Java, Adobe, and especially Avira auto update on startup. This is a security precaution: malware often exploits outdated software.

I have an artifact in the control panel from "Red Swoosh" that I would like to get rid of. The target directory seems to be deleted, but I can't figure out how to remove the icon from control panel.
Click Start > Control Panel

Right-click the "Red Swoosh" icon and choose Create Shortcut

Click Yes when you see the following dialog:

"Windows cannot create a shortcut here.

Do you want the shortcut to be placed on the desktop instead?"

In the Desktop, right-click the newly created shortcut and choose Properties

Click the Change Icon button. You'll then see the actual CPL file name in the resulting dialog. Please post me that filename.

This computer has been used by my kids (they now have their own and are banned). I would like to remove all of their games (particularly the online interactive ones) and any file sharing programs they may have installed.
You can do this easily by uninstalling them through Control Panel > Add/Remove programs.

As for the Netflix problem, see here how to set the bitrate on lowest setting possible and see if that helps.

Can you press Ctrl - Alt - Del when the video is choppy, in the Task manager click on Performance tab, and let me know the % of CPU and RAM in use (although, I really don't think cpu/ram is being maxed out in this case)?

FTR, if you have a slow internet connection, that may well be the cause and there is nothing you can do about that, except for getting a better connection (I am having this problem myself, I am not able to stream anything using more than 250bps).

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file). If you used Defogger to disabled CD emulation, you can rerun it to re-enable any disabled emulators.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Thank you very much - I experimented with the buffer settings in Silverlight and found that setting the buffer rate to 512 and then returning the play bar to the beginning will immediatly reset the playback speed and give consistant smooth playback. Before I added RAM the CPU was up around 90-100% trying to page the file buffer and there was very little free RAM. Now the CPU is around 60-80% and there is always 300-400MB free memory. My Uverse download tests at 5MbPS so the bottleneck must be in my computer somewhere. Maybe my graphics card isn't up to the task?

I have manually updated all the critical files you mentioned and I update and run either malwarebytes or avira every night.

Do you have any comments about the constant I/O activity of lsass?

Red Swoosh links to: C:\WINDOWS\system32\RedSwoosh.cpl which doesn't exist anymore. I don't see how to get the icon out of control panel.

Other than those two concerns, it looks like a clean computer to me.

I mistakenly activated combofix instead of removing it so I'm including the scan below FYI.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: ameritrade.com

Trusted Zone: tdameritrade.com

TCP: DhcpNameServer = 192.168.1.254

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-28 12:00

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1332)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-06-28 12:05:37

ComboFix-quarantined-files.txt 2011-06-28 19:05

ComboFix2.txt 2011-06-25 00:27

ComboFix3.txt 2011-06-24 17:48

ComboFix4.txt 2011-06-23 20:39

ComboFix5.txt 2011-06-28 18:42

.

Pre-Run: 51,265,802,240 bytes free

Post-Run: 51,326,750,720 bytes free

.

- - End Of File - - 930B65C8B79D938C78E06E62F295CF92

Link to post
Share on other sites

Do you have any comments about the constant I/O activity of lsass?
This is normal.

The other CPU usage during streaming can indeed be caused by older hardware, or simply a lower CPU speed. Except for upgrading hardware (which is a LOT more expensive than upgrading RAM), there is little you can do about; if it streams smoothly, I would keep it at that.

To uninstall combofix, right click the combofix icon, select Rename, and rename the file to "uninstall". Then run it. This should uninstall it.

Click Start > Run, in the box that opens type notepad and press enter.

Copy/paste the text in the codebox below in Notepad and save it as fixme.bat to your desktop.

@echo off
REGEDIT /E export1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls"
REGEDIT /E export2.txt "HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls"
start export1.txt
start export2.txt
del %0

Exit Notepad and double-click on fixme.bat to run it.

Two textfiles named export1.txt and export2.txt should open. Please posts their contents in your next reply.

Link to post
Share on other sites

Your previous instructions un-installed combofix just fine - I just didn't follow them the first time and clicked on the desktop icon instead...oops.

Below is one of the files you requested. The batch file didn't find the other one.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls]

"Speech"="C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.cpl"

"AlarmClock"="c:\\Program Files\\Microsoft Plus! Digital Media Edition\\Alarm Clock\\AlarmClockPlugin.dll"

"Internet Connection Firewall"="Firewall.cpl"

"NetSetupWizard"="NetSetup.cpl"

"QuickTime"="C:\\Program Files\\QuickTime\\QTSystem\\QuickTime.cpl"

"Avira AntiVir Personal - Free Antivirus "="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl"

"Avira AntiVir Personal"="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\inetcpl.cpl]

"RunLevel"=dword:00000000

Link to post
Share on other sites

Looks like it worked this time.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls]

"Speech"="C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.cpl"

"AlarmClock"="c:\\Program Files\\Microsoft Plus! Digital Media Edition\\Alarm Clock\\AlarmClockPlugin.dll"

"Internet Connection Firewall"="Firewall.cpl"

"NetSetupWizard"="NetSetup.cpl"

"QuickTime"="C:\\Program Files\\QuickTime\\QTSystem\\QuickTime.cpl"

"Avira AntiVir Personal - Free Antivirus "="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl"

"Avira AntiVir Personal"="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\inetcpl.cpl]

"RunLevel"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]

"Windows Default"="\",,,,,,,,,,,,,\""

"Windows Animated"="\"C:\\WINDOWS\\Cursors\\rainbow.ani,,C:\\WINDOWS\\Cursors\\appstart.ani,C:\\WINDOWS\\Cursors\\hourglas.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,,C:\\WINDOWS\\Cursors\\sizens.ani,C:\\WINDOWS\\Cursors\\sizewe.ani,C:\\WINDOWS\\Cursors\\sizenwse.ani,C:\\WINDOWS\\Cursors\\sizenesw.ani,,\""

"3D-White"="\"C:\\WINDOWS\\Cursors\\3dwarro.cur,,C:\\WINDOWS\\Cursors\\appstar3.ani,C:\\WINDOWS\\Cursors\\hourgla3.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\3dwno.cur,C:\\WINDOWS\\Cursors\\3dwns.cur,C:\\WINDOWS\\Cursors\\3dwwe.cur,C:\\WINDOWS\\Cursors\\3dwnwse.cur,C:\\WINDOWS\\Cursors\\3dwnesw.cur,C:\\WINDOWS\\Cursors\\3dwmove.cur,\""

"Hands 1"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\handapst.ani,C:\\WINDOWS\\Cursors\\hand.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\hnodrop.cur,C:\\WINDOWS\\Cursors\\hns.cur,C:\\WINDOWS\\Cursors\\hwe.cur,C:\\WINDOWS\\Cursors\\hnwse.cur,C:\\WINDOWS\\Cursors\\hnesw.cur,C:\\WINDOWS\\Cursors\\hmove.cur,\""

"Hands 2"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\handapst.ani,C:\\WINDOWS\\Cursors\\handwait.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\handno.ani,C:\\WINDOWS\\Cursors\\handns.ani,C:\\WINDOWS\\Cursors\\handwe.ani,C:\\WINDOWS\\Cursors\\handnwse.ani,C:\\WINDOWS\\Cursors\\handnesw.ani,C:\\WINDOWS\\Cursors\\hmove.cur,\""

"Dinosaur"="\"C:\\WINDOWS\\Cursors\\3dgarro.cur,,C:\\WINDOWS\\Cursors\\dinosaur.ani,C:\\WINDOWS\\Cursors\\dinosau2.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\banana.ani,C:\\WINDOWS\\Cursors\\3dsns.cur,C:\\WINDOWS\\Cursors\\3dgwe.cur,C:\\WINDOWS\\Cursors\\3dsnwse.cur,C:\\WINDOWS\\Cursors\\3dgnesw.cur,C:\\WINDOWS\\Cursors\\3dsmove.cur,\""

"Old Fashioned"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\horse.ani,C:\\WINDOWS\\Cursors\\barber.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\coin.ani,C:\\WINDOWS\\Cursors\\3dgns.cur,C:\\WINDOWS\\Cursors\\3dgwe.cur,C:\\WINDOWS\\Cursors\\3dgnwse.cur,C:\\WINDOWS\\Cursors\\3dgnesw.cur,C:\\WINDOWS\\Cursors\\3dgmove.cur,\""

"Conductor"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\drum.ani,C:\\WINDOWS\\Cursors\\metronom.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\piano.ani,C:\\WINDOWS\\Cursors\\hns.cur,C:\\WINDOWS\\Cursors\\hwe.cur,C:\\WINDOWS\\Cursors\\hnwse.cur,C:\\WINDOWS\\Cursors\\hnesw.cur,C:\\WINDOWS\\Cursors\\hmove.cur,\""

"Magnified"="\"C:\\WINDOWS\\Cursors\\larrow.cur,,C:\\WINDOWS\\Cursors\\lappstrt.cur,C:\\WINDOWS\\Cursors\\lwait.cur,C:\\WINDOWS\\Cursors\\lcross.cur,C:\\WINDOWS\\Cursors\\libeam.cur,,C:\\WINDOWS\\Cursors\\lnodrop.cur,C:\\WINDOWS\\Cursors\\lns.cur,C:\\WINDOWS\\Cursors\\lwe.cur,C:\\WINDOWS\\Cursors\\lnwse.cur,C:\\WINDOWS\\Cursors\\lnesw.cur,C:\\WINDOWS\\Cursors\\lmove.cur,\""

"Variations"="\"C:\\WINDOWS\\Cursors\\fillitup.ani,,C:\\WINDOWS\\Cursors\\raindrop.ani,C:\\WINDOWS\\Cursors\\counter.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\wagtail.ani,C:\\WINDOWS\\Cursors\\sizens.ani,C:\\WINDOWS\\Cursors\\sizewe.ani,C:\\WINDOWS\\Cursors\\sizenwse.ani,C:\\WINDOWS\\Cursors\\sizenesw.ani,\""

"3D-Bronze"="\"C:\\WINDOWS\\Cursors\\3dgarro.cur,,C:\\WINDOWS\\Cursors\\appstar2.ani,C:\\WINDOWS\\Cursors\\hourgla2.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\3dgno.cur,C:\\WINDOWS\\Cursors\\3dgns.cur,C:\\WINDOWS\\Cursors\\3dgwe.cur,C:\\WINDOWS\\Cursors\\3dgnwse.cur,C:\\WINDOWS\\Cursors\\3dgnesw.cur,C:\\WINDOWS\\Cursors\\3dgmove.cur,\""

"Windows Black "="C:\\WINDOWS\\cursors\\arrow_r.cur,C:\\WINDOWS\\cursors\\help_r.cur,C:\\WINDOWS\\cursors\\wait_r.cur,C:\\WINDOWS\\cursors\\busy_r.cur,C:\\WINDOWS\\cursors\\cross_r.cur,C:\\WINDOWS\\cursors\\beam_r.cur,C:\\WINDOWS\\cursors\\pen_r.cur,C:\\WINDOWS\\cursors\\no_r.cur,C:\\WINDOWS\\cursors\\size4_r.cur,C:\\WINDOWS\\cursors\\size3_r.cur,C:\\WINDOWS\\cursors\\size2_r.cur,C:\\WINDOWS\\cursors\\size1_r.cur,C:\\WINDOWS\\cursors\\move_r.cur,C:\\WINDOWS\\cursors\\up_r.cur"

"Windows Black (large)"="C:\\WINDOWS\\cursors\\arrow_rm.cur,C:\\WINDOWS\\cursors\\help_rm.cur,C:\\WINDOWS\\cursors\\wait_rm.cur,C:\\WINDOWS\\cursors\\busy_rm.cur,C:\\WINDOWS\\cursors\\cross_rm.cur,C:\\WINDOWS\\cursors\\beam_rm.cur,C:\\WINDOWS\\cursors\\pen_rm.cur,C:\\WINDOWS\\cursors\\no_rm.cur,C:\\WINDOWS\\cursors\\size4_rm.cur,C:\\WINDOWS\\cursors\\size3_rm.cur,C:\\WINDOWS\\cursors\\size2_rm.cur,C:\\WINDOWS\\cursors\\size1_rm.cur,C:\\WINDOWS\\cursors\\move_rm.cur,C:\\WINDOWS\\cursors\\up_rm.cur"

"Windows Black (extra large)"="C:\\WINDOWS\\cursors\\arrow_rl.cur,C:\\WINDOWS\\cursors\\help_rl.cur,C:\\WINDOWS\\cursors\\wait_rl.cur,C:\\WINDOWS\\cursors\\busy_rl.cur,C:\\WINDOWS\\cursors\\cross_rl.cur,C:\\WINDOWS\\cursors\\beam_rl.cur,C:\\WINDOWS\\cursors\\pen_rl.cur,C:\\WINDOWS\\cursors\\no_rl.cur,C:\\WINDOWS\\cursors\\size4_rl.cur,C:\\WINDOWS\\cursors\\size3_rl.cur,C:\\WINDOWS\\cursors\\size2_rl.cur,C:\\WINDOWS\\cursors\\size1_rl.cur,C:\\WINDOWS\\cursors\\move_rl.cur,C:\\WINDOWS\\cursors\\up_rl.cur"

"Windows Inverted"="C:\\WINDOWS\\cursors\\arrow_i.cur,C:\\WINDOWS\\cursors\\help_i.cur,C:\\WINDOWS\\cursors\\wait_i.cur,C:\\WINDOWS\\cursors\\busy_i.cur,C:\\WINDOWS\\cursors\\cross_i.cur,C:\\WINDOWS\\cursors\\beam_i.cur,C:\\WINDOWS\\cursors\\pen_i.cur,C:\\WINDOWS\\cursors\\no_i.cur,C:\\WINDOWS\\cursors\\size4_i.cur,C:\\WINDOWS\\cursors\\size3_i.cur,C:\\WINDOWS\\cursors\\size2_i.cur,C:\\WINDOWS\\cursors\\size1_i.cur,C:\\WINDOWS\\cursors\\move_i.cur,C:\\WINDOWS\\cursors\\up_i.cur"

"Windows Inverted (large)"="C:\\WINDOWS\\cursors\\arrow_im.cur,C:\\WINDOWS\\cursors\\help_im.cur,C:\\WINDOWS\\cursors\\wait_im.cur,C:\\WINDOWS\\cursors\\busy_im.cur,C:\\WINDOWS\\cursors\\cross_im.cur,C:\\WINDOWS\\cursors\\beam_im.cur,C:\\WINDOWS\\cursors\\pen_im.cur,C:\\WINDOWS\\cursors\\no_im.cur,C:\\WINDOWS\\cursors\\size4_im.cur,C:\\WINDOWS\\cursors\\size3_im.cur,C:\\WINDOWS\\cursors\\size2_im.cur,C:\\WINDOWS\\cursors\\size1_im.cur,C:\\WINDOWS\\cursors\\move_im.cur,C:\\WINDOWS\\cursors\\up_im.cur"

"Windows Inverted (extra large)"="C:\\WINDOWS\\cursors\\arrow_il.cur,C:\\WINDOWS\\cursors\\help_il.cur,C:\\WINDOWS\\cursors\\wait_il.cur,C:\\WINDOWS\\cursors\\busy_il.cur,C:\\WINDOWS\\cursors\\cross_il.cur,C:\\WINDOWS\\cursors\\beam_il.cur,C:\\WINDOWS\\cursors\\pen_il.cur,C:\\WINDOWS\\cursors\\no_il.cur,C:\\WINDOWS\\cursors\\size4_il.cur,C:\\WINDOWS\\cursors\\size3_il.cur,C:\\WINDOWS\\cursors\\size2_il.cur,C:\\WINDOWS\\cursors\\size1_il.cur,C:\\WINDOWS\\cursors\\move_il.cur,C:\\WINDOWS\\cursors\\up_il.cur"

"Windows Standard (large)"="C:\\WINDOWS\\cursors\\arrow_m.cur,C:\\WINDOWS\\cursors\\help_m.cur,C:\\WINDOWS\\cursors\\wait_m.cur,C:\\WINDOWS\\cursors\\busy_m.cur,C:\\WINDOWS\\cursors\\cross_m.cur,C:\\WINDOWS\\cursors\\beam_m.cur,C:\\WINDOWS\\cursors\\pen_m.cur,C:\\WINDOWS\\cursors\\no_m.cur,C:\\WINDOWS\\cursors\\size4_m.cur,C:\\WINDOWS\\cursors\\size3_m.cur,C:\\WINDOWS\\cursors\\size2_m.cur,C:\\WINDOWS\\cursors\\size1_m.cur,C:\\WINDOWS\\cursors\\move_m.cur,C:\\WINDOWS\\cursors\\up_m.cur"

"Windows Standard (extra large)"="C:\\WINDOWS\\cursors\\arrow_l.cur,C:\\WINDOWS\\cursors\\help_l.cur,C:\\WINDOWS\\cursors\\wait_l.cur,C:\\WINDOWS\\cursors\\busy_l.cur,C:\\WINDOWS\\cursors\\cross_l.cur,C:\\WINDOWS\\cursors\\beam_l.cur,C:\\WINDOWS\\cursors\\pen_l.cur,C:\\WINDOWS\\cursors\\no_l.cur,C:\\WINDOWS\\cursors\\size4_l.cur,C:\\WINDOWS\\cursors\\size3_l.cur,C:\\WINDOWS\\cursors\\size2_l.cur,C:\\WINDOWS\\cursors\\size1_l.cur,C:\\WINDOWS\\cursors\\move_l.cur,C:\\WINDOWS\\cursors\\up_l.cur"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load]

"speech.cpl"=""

"igfxcpl.cpl"=""

"replaceCPL"="nvtuicpl.cpl"

"infocardcpl.cpl"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{2CA4F306-B280-4ab2-B5E1-1DFA3583F046}]

"C:\\WINDOWS\\system32\\FlashPlayerCPLApp.cpl"=dword:0000000a

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{305CA226-D286-468e-B848-2B2E8E697B74} 2]

"C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.cpl"=dword:00000004

"%SystemRoot%\\system32\\appwiz.cpl"=dword:00000008

"%SystemRoot%\\system32\\access.cpl"=dword:00000007

"%SystemRoot%\\system32\\desk.cpl"=dword:00000001

"%SystemRoot%\\system32\\hdwwiz.cpl"=dword:ffffffff

"%SystemRoot%\\system32\\inetcpl.cpl"="3,10"

"%SystemRoot%\\system32\\intl.cpl"=dword:00000006

"%SystemRoot%\\system32\\irprops.cpl"=dword:00000002

"%SystemRoot%\\system32\\joy.cpl"=dword:00000002

"%SystemRoot%\\system32\\main.cpl"=dword:00000002

"%SystemRoot%\\system32\\mmsys.cpl"=dword:00000004

"%SystemRoot%\\system32\\ncpa.cpl"=dword:00000003

"%SystemRoot%\\system32\\nwc.cpl"=dword:00000000

"%SystemRoot%\\system32\\nusrmgr.cpl"=dword:00000009

"%SystemRoot%\\system32\\odbccp32.cpl"=dword:00000000

"%SystemRoot%\\system32\\powercfg.cpl"=dword:00000005

"%SystemRoot%\\system32\\sticpl.cpl"=dword:00000002

"%SystemRoot%\\system32\\sysdm.cpl"="5"

"%SystemRoot%\\system32\\telephon.cpl"=dword:00000002

"%SystemRoot%\\system32\\timedate.cpl"=dword:00000006

"c:\\Program Files\\Microsoft Plus! Digital Media Edition\\Alarm Clock\\AlarmClockPlugin.dll"=dword:00000006

"C:\\Program Files\\Common Files\\SYSTEM\\MSMAPI\\1033\\MLCFG32.CPL"=dword:00000009

"%SystemRoot%\\System32\\Firewall.cpl"="3,10"

"%SystemRoot%\\System32\\NetSetup.cpl"=dword:00000003

"%SystemRoot%\\System32\\wuaucpl.cpl"=dword:0000000a

"%SystemRoot%\\System32\\bthprops.cpl"="2,3"

"%SystemRoot%\\System32\\wscui.cpl"=dword:ffffffff

"%SystemRoot%\\system32\\RedSwoosh.cpl"=dword:00000003

"C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl"=dword:0000000a

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0\1024x768 x 60Hz]

"32 bpp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0\1280x1024 x 60Hz]

"32 bpp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0\800x600 x 60Hz]

"16 bpp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:MAG4518:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0001,0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:MAG4518:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0001,0\1024x768 x 60Hz]

"32 bpp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:MAG4518:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0001,0\800x600 x 60Hz]

"16 bpp"=dword:00000001

"32 bpp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0\1024x768 x 60Hz]

"32 bpp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0\1280x1024 x 60Hz]

"32 bpp"=dword:00000001

"16 bpp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0\800x600 x 60Hz]

"32 bpp"=dword:00000001

"16 bpp"=dword:00000001

Link to post
Share on other sites

Hi again, let me know if the following does the trick. :)

BACKUP THE REGISTRY

---------------------------

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Click Start > Run, type notepad and press enter. Copy/paste the following text into Notepad and save it as fixme.reg to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{305CA226-D286-468e-B848-2B2E8E697B74} 2]
"%SystemRoot%\\system32\\RedSwoosh.cpl"=-

Exit Notepad and doubleclick on fixme.reg to run it. When asked if you want to merge the data in the registry, click Yes/OK. You will received a message that this was done successfully.

Link to post
Share on other sites

Hmmm. Everything went smoothly, but Red Swoosh is still in the Control panel. I rebooted and had a message that it was unable to completely delete the registry backup file dated today???? I don't know why it would have tried to do that, unless it only allows one registry backup per date (I did select the option to backup on every boot.)

Have a fun Fourth weekend! Doug

Link to post
Share on other sites

Hi, lets try the following:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    redswoosh


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Found lots:

"Red Swoosh"

SystemLook 04.09.10 by jpshortstuff

Log created at 23:11 on 02/07/2011 by Owner

Administrator - Elevation successful

========== regfind ==========

Searching for "red swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"9420:TCP"="9420:TCP:*:Disabled:Red Swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"5000:UDP"="5000:UDP:*:Disabled:Red Swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"9420:TCP"="9420:TCP:*:Disabled:Red Swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"5000:UDP"="5000:UDP:*:Disabled:Red Swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"9420:TCP"="9420:TCP:*:Enabled:Red Swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"5000:UDP"="5000:UDP:*:Enabled:Red Swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"9420:TCP"="9420:TCP:*:Disabled:Red Swoosh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"5000:UDP"="5000:UDP:*:Disabled:Red Swoosh"

-= EOF =-

"RSSoft"

SystemLook 04.09.10 by jpshortstuff

Log created at 23:12 on 02/07/2011 by Owner

Administrator - Elevation successful

========== regfind ==========

Searching for "RSSoft"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\RSSoft\RSEDNClient.exe"="C:\Program Files\RSSoft\RSEDNClient.exe:*:Enabled:RSEDNClient"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\Program Files\RSSoft\RSEDNClient.exe"="RSEDNClient"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\Program Files\RSSoft\RSEDNClient.exe"="RSEDNClient"

-= EOF =-

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.