Registry infected & fragmented

pcemkr · September 22, 2011

Tried running both the ESET Online Scanner & F-Scanner online and am getting the same error messages, so neither will run.

screen317 · September 26, 2011

You appear to be confusing fragmentation levels with disk space levels.

The system is still severely fragmented. When I run a defrag, it tells me there is only 8% available to run the defrag & needs 15% to run effectively. I'm not sure why it's so fragmented...there are a few games loaded on the system, but not much more than that.

There is 8% free space on your hard drive and the defragmenter requires 15% free space to run effectively. Uninstall unneeded programs or check out your disk usage with TreeSize Free (available here: http://www.jam-software.com/treesize_free/ ) to see what's taking up all of that space.

pcemkr · September 27, 2011

I apologize if the inforamtion I am relaying appears confusing. I am relaying the info as it shows on the computer...it shows that the disk space is about 90% fragmented when it analyzes & after the defrag.

I ran TreeSize and here is what was found...

On the first run the data shows:

34,830.6 MB C:/

26,919.3 MB Documents & Settings

3,438.2 MB WINDOWS

854.0 MB System32

2,296.2 MB System Volume Information

1,008.5 MB Program Files

651.5 MB Sierra

I tracked the two showing the highest numbers and here's what was there:

26,919.3 MB Documents & Settings

26,686.9 MB Owner

26,484.5 MB Application Data

26,405.5 MB Yahoo!

26,405.5 MB Companion

26,405.5 MB Crash Logs

26,405.4 MB ytdump-2010.6.1.1-1311743624.log

2,438.2 MB WINDOWS

854.0 MB System32

468.8 MB [Files]*

46.8 MB MRT.exe

12.5 MB oembios.bin

10.6 MB ieframe.dll

10.3 MB wmp.dll

*Note: there are quite a few files under this with mostly .exe & .dll extensions, as well as .dat, .tmp, .ax, .sys, .msi, .deu

I went in to clean out what more I could. Was able to remove 1 app that was installed during this clean-up process which freed up 4.0 MB as well as emptied temporary internet files again and desktop files. There really isn't anything else to remove and the games on the system (SIERRA) do not appear to be using that much space.

I ran TreeSize again, and here are the changes from the 2nd run:

34,834.9 MB C:/

26,878.0 MB Documents & Settings

3,438.4 MB WINDOWS

854.0 MB System32

2,345.6 MB System Volume Information

1,004.4 MB Program Files

651.5 MB Sierra

Thank you!

screen317 · September 28, 2011

In order for the defragmentation to be efficient, you need more free space. I highly recommend purchasing an external hard drive. You can get them with at least 500GB or even 1TB for pretty cheap. Then you could transfer the large things over and free up your hard drives for defragmenting.

pcemkr · October 1, 2011

Thanks, I will look into that....

but are you aware of a way to safely delete or remove the Yahoo! Crash Logs to free up the space?

screen317 · October 5, 2011

Which crash logs are you referring to?

pcemkr · October 5, 2011

Apparently, this is a hidden file that TreeSize picked-up when it scanned, because I am unable to locate it when I do a search.

This appears to be the culprit using up so much space, just not sure how to get to it to delete it safely.

26,919.3 MB Documents & Settings

26,686.9 MB Owner

26,484.5 MB Application Data

26,405.5 MB Yahoo!

26,405.5 MB Companion

26,405.5 MB Crash Logs

26,405.4 MB ytdump-2010.6.1.1-1311743624.log

Thanks!

screen317 · October 9, 2011

Uninstall both of these programs:

Yahoo! Install Manager

Yahoo! Software Update

Reboot.

If that file is still there, click Start --> Run, type in cmd.exe, and press Enter.

In the black box, enter this command:

del /f /q "C:\Documents and Settings\Owner\Application Data\Yahoo!\Companion\Crash Logs\ytdump-2010.6.1.1-1311743624.log"

Press Enter. Reboot and see if it's gone.

pcemkr · October 9, 2011

Uninstall both of these programs:
Yahoo! Install Manager
Yahoo! Software Update
Reboot.
If that file is still there, click Start --> Run, type in cmd.exe, and press Enter.
In the black box, enter this command:
del /f /q "C:\Documents and Settings\Owner\Application Data\Yahoo!\Companion\Crash Logs\ytdump-2010.6.1.1-1311743624.log"
Press Enter. Reboot and see if it's gone.

Ok, I was able to uninstall Yahoo! Install Manager & Yahoo! Software Update successfully (they are not showing up in the Control Panel)...

I ran tree size again and still see the file(s) there...

I tried running the command and keep getting a message that "the system cannot find the file specified"...

admittedly, I am unsure if I am entering the command correctly (ie. with & without spaces shown, with & w/o capital letters) I have tried every variation I can think of and cannot get it to run

Would you please specify the most appropriate way to enter the command to get the computer to comply?

Thanks!

screen317 · October 10, 2011

Please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as del.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@echo off
del /f /q "C:\Documents and Settings\Owner\Application Data\Yahoo!\Companion\Crash Logs\ytdump-2010.6.1.1-1311743624.log"
exit

Now navigate to your Desktop, and double click del.bat

See if the file is gone.

pcemkr · October 12, 2011

Please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.
Navigate to File --> Save As..., and save the file as del.bat (make sure the Save As Type is set to All Files).
Save it to your Desktop.
@echo off
del /f /q "C:\Documents and Settings\Owner\Application Data\Yahoo!\Companion\Crash Logs\ytdump-2010.6.1.1-1311743624.log"
exit
Now navigate to your Desktop, and double click del.bat
See if the file is gone.

It appears this did not work. I was able to save & run from my desktop...a box quickly appeared & disappeared (running in the background?), but the file is still there.

screen317 · October 14, 2011

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

File::
C:\Documents and Settings\Owner\Application Data\Yahoo!\Companion\Crash Logs\ytdump-2010.6.1.1-1311743624.log

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

pcemkr · October 14, 2011

Here are the ComboFix & DDS logs:

ComboFix 11-10-14.04 - Owner 10/14/2011 18:16:20.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.129 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

.

FILE ::

"c:\documents and settings\Owner\Application Data\Yahoo!\Companion\Crash Logs\ytdump-2010.6.1.1-1311743624.log"

.

((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))

.

2011-10-14 22:07 . 2011-10-14 22:09 -------- d-----w- C:\32788R22FWJFW

2011-09-27 12:52 . 2011-09-27 12:52 -------- d-----w- c:\documents and settings\Owner\Application Data\JAM Software

2011-09-27 12:52 . 2011-09-27 12:52 -------- d-----w- c:\program files\JAM Software

2011-09-27 12:27 . 2011-09-27 12:27 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer

2011-09-25 23:00 . 2011-09-25 23:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-31 21:00 . 2011-07-30 16:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((( SnapShot@2011-08-04_00.34.22 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-10-14 04:01 . 2011-10-14 04:01 16384 c:\windows\Temp\Perflib_Perfdata_448.dat

- 2003-03-31 12:00 . 2008-04-13 18:45 10368 c:\windows\system32\drivers\hidusb.sys

+ 2003-03-31 12:00 . 2008-04-13 17:45 10368 c:\windows\system32\drivers\hidusb.sys

- 2003-03-31 12:00 . 2008-04-13 18:45 24960 c:\windows\system32\drivers\hidparse.sys

+ 2003-03-31 12:00 . 2008-04-13 17:45 24960 c:\windows\system32\drivers\hidparse.sys

+ 2003-03-31 12:00 . 2008-04-13 17:45 36864 c:\windows\system32\drivers\hidclass.sys

- 2003-03-31 12:00 . 2008-04-13 18:45 36864 c:\windows\system32\drivers\hidclass.sys

+ 2011-04-13 13:37 . 2011-09-27 12:27 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStopShortcut.exe

- 2011-04-13 13:37 . 2011-07-06 03:41 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStopShortcut.exe

- 2011-04-13 13:37 . 2011-07-06 03:41 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStartShortcut.exe

+ 2011-04-13 13:37 . 2011-09-27 12:27 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStartShortcut.exe

+ 2011-04-13 13:37 . 2011-09-27 12:27 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceConsoleShortcut.exe

- 2011-04-13 13:37 . 2011-07-06 03:41 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceConsoleShortcut.exe

- 2011-07-30 16:29 . 2011-07-31 16:22 262144 c:\windows\system32\config\systemprofile\NtUser.dat

+ 2011-07-30 16:29 . 2011-09-27 13:23 262144 c:\windows\system32\config\systemprofile\NtUser.dat

+ 2011-09-27 12:27 . 2011-09-27 12:27 1398784 c:\windows\Installer\22722.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d5f7c10d-2f86-4e99-90da-25f8b0400992}]

2011-05-09 09:49 176936 ----a-w- c:\program files\Mapit_1\prxtbMapi.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{d5f7c10d-2f86-4e99-90da-25f8b0400992}"= "c:\program files\Mapit_1\prxtbMapi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{d5f7c10d-2f86-4e99-90da-25f8b0400992}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D5F7C10D-2F86-4E99-90DA-25F8B0400992}"= "c:\program files\Mapit_1\prxtbMapi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{d5f7c10d-2f86-4e99-90da-25f8b0400992}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-06-04 822384]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]

"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

.

R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]

R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]

S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-09-25 56336]

S1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [2011-08-08 216912]

S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-09-25 70416]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-09-25 161936]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-09-25 919352]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fptb-att

uInternet Settings,ProxyOverride = *.local

uSearchAssistant =

TCP: DhcpNameServer = 192.168.2.1

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-14 18:28

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1840)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-10-14 18:35:25

ComboFix-quarantined-files.txt 2011-10-14 22:35

ComboFix2.txt 2011-08-04 00:40

.

Pre-Run: 2,609,958,912 bytes free

Post-Run: 2,663,481,344 bytes free

.

- - End Of File - - 865D4FF0C191A25A984F5142C5E5BF9D

**********************************************************************************

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 18:44:59 on 2011-10-14

.

============== Running Processes ===============

.

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Lexmark 2300 Series\lxcgmon.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\lxcgcoms.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/?fr=fptb-att

uInternet Settings,ProxyOverride = *.local

uSearchAssistant =

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search

BHO: Mapit 1 Toolbar: {d5f7c10d-2f86-4e99-90da-25f8b0400992} - c:\program files\mapit_1\prxtbMapi.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Mapit 1 Toolbar: {d5f7c10d-2f86-4e99-90da-25f8b0400992} - c:\program files\mapit_1\prxtbMapi.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"

mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270249044166

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{05E83518-DBD2-48E8-8FAE-1C2AB1E9B618} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{E22594C9-FADE-40A1-BB1E-2232D4FDE047} : DhcpNameServer = 192.168.1.254

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

============= SERVICES / DRIVERS ===============

.

R? cpudrv;cpudrv

R? ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC)

S? RapportCerberus_29574;RapportCerberus_29574

S? RapportEI;RapportEI

S? RapportKELL;RapportKELL

S? RapportMgmtService;Rapport Management Service

S? RapportPG;RapportPG

.

=============== Created Last 30 ================

.

2011-10-14 22:09:07 -------- d-----w- C:\ComboFix

2011-09-27 12:52:46 -------- d-----w- c:\documents and settings\owner\application data\JAM Software

2011-09-27 12:52:20 -------- d-----w- c:\program files\JAM Software

2011-09-25 23:00:08 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

==================== Find3M ====================

.

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 18:46:33.46 ===============

screen317 · October 18, 2011

Hi,

Is it gone?

Uninstall these:

Yahoo! Toolbar

att.net Toolbar

Mapit 1 Toolbar

pcemkr · October 18, 2011

No, it's still there according to Treesize.

I deleted the Yahoo Toolbar before...it wasn't there when I just checked.

Also, just delted Mapit1 & att.net toolbars.

screen317 · October 22, 2011

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

DirLooK::
c:\documents and settings\Owner\Application Data\Yahoo!\Companion\Crash Logs

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

pcemkr · October 25, 2011

The file is still showing that it's there.

Included below are the latest Comboxfix & DDS logs you requested.

*Note: A couple of things that may be of interest...

#1) It took me a bit to notice this, but I kept coing back to the computer and finding that it had turned itself on. The other day I happened to step into the room around midnight and found the cmputer booting up on it's own. Not sure of what was up, I turned the computer off and unplugged it from the internet. I would still find it had booted itself up/on, but not as frequently.

#2) When I ran the combofix and attempted to save the log, somehow I misplaced it and had to search the computer for it and happened to find something on my search. I came across a file with several entries that seemed to create files throughout the day, mostly early morning hours (3am, etc.). C:\WINDOWS\PCHealth\HelpCtr\DataColl. I did an internet search and it appears to be malware. Not sure if this is related to the additional issue above, but thought I should mention it.

Combofix & DDS logs below:

ComboFix 11-10-24.02 - Owner 10/24/2011 10:26:41.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.124 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

.

((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))

.

2011-09-27 12:52 . 2011-09-27 12:52 -------- d-----w- c:\documents and settings\Owner\Application Data\JAM Software

2011-09-27 12:52 . 2011-09-27 12:52 -------- d-----w- c:\program files\JAM Software

2011-09-27 12:27 . 2011-09-27 12:27 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer

2011-09-25 23:00 . 2011-09-25 23:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-31 21:00 . 2011-07-30 16:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Owner\Application Data\Yahoo!\Companion\Crash Logs ----

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((( SnapShot@2011-08-04_00.34.22 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-10-22 04:01 . 2011-10-22 04:01 16384 c:\windows\Temp\Perflib_Perfdata_614.dat