Hello all,
Here is my problem:
I clicked on a facebook link (stupid, yes, I know, i was tricked into it),
and since then, my internet connection has been extremely slow.
There is definitely a problem somewhere, and assume it is probably due to this facebook link.
I am running windows XP pro, SP3, with firefox 3.0.3, zone alarm free version.
All windows security patches for windows XP are currently up to date.
I have followed all the guidelines here and have tried everything I can do before posting.
I am using bitdefender antivirus, and definitions were updated -- scan showed no problems.
I have cleaned out everything using ccleaner, my drives are all defragmented, and have tried spybot search & destroy, spyeraser, and scanned with mcaffe stinger with no luck.
update: also tried kapersky's online virus scanner = nothing
I am no expert, but usually can handle most problems myself, until now.
Thanks very much in advance-- any help is greatly appreciated.
joseph
Scan with MalwareBytes' Anti-Malware:
Then, submit log file ESET SysInspector, to see what the situation.
QUOTE
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
alternate download link 1
alternate download link 2
- Make sure you are connected to the Internet.
- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
- On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
- If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
Then, submit log file ESET SysInspector, to see what the situation.
QUOTE
Download ESET SysInspector
http://www.eset.com/download/sysinspector.php
- Start program through the SysInspector.exe
The program will collect information about the situation on your machine.
- When "inspector" is ready and log file - generated, select File> Save Log
- Confirm their wish
Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link.
http://www.eset.com/download/sysinspector.php
- Start program through the SysInspector.exe
The program will collect information about the situation on your machine.
- When "inspector" is ready and log file - generated, select File> Save Log
- Confirm their wish
Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link.
Hi nod32fen,
Thanks very much for your response.
Here is the log file from malwarebytes quick scan:
---
Malwarebytes' Anti-Malware 1.30
Database version: 1335
Windows 5.1.2600 Service Pack 3
29.10.2008 16:41:54
mbam-log-2008-10-29 (16-41-54).txt
Scan type: Quick Scan
Objects scanned: 50247
Time elapsed: 5 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
---
then the ESET SYSinspector logs link is here:
http://4storing.com/pjmd7/3bc9e73ccdaa04b9...92b8a5472b.html
thank you again,
joseph
Thanks very much for your response.
Here is the log file from malwarebytes quick scan:
---
Malwarebytes' Anti-Malware 1.30
Database version: 1335
Windows 5.1.2600 Service Pack 3
29.10.2008 16:41:54
mbam-log-2008-10-29 (16-41-54).txt
Scan type: Quick Scan
Objects scanned: 50247
Time elapsed: 5 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
---
then the ESET SYSinspector logs link is here:
http://4storing.com/pjmd7/3bc9e73ccdaa04b9...92b8a5472b.html
thank you again,
joseph
Log in Safe Mode and replace the original hosts file:
http://4storing.com/c556w/84f68dcf58c40349...3914e1d08b.html
with yours. Copy hosts file and paste it into:
C:\WINDOWS\System32\drivers\etc\
http://4storing.com/c556w/84f68dcf58c40349...3914e1d08b.html
with yours. Copy hosts file and paste it into:
C:\WINDOWS\System32\drivers\etc\
Hello nod32fen,
I went to the link you supplied and was not able to download anything:
Message in bulgarian was:
Файлът е временно недостъпен.
Моля опитайте отново по-късно..
thanks.
I went to the link you supplied and was not able to download anything:
Message in bulgarian was:
Файлът е временно недостъпен.
Моля опитайте отново по-късно..
thanks.
Please perform a Full Scan with Malwarebytes and post the log in your next reply.
Hello xblindx,
Thanks for your help.
Here are the results. Nothing was found.
Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3
30.10.2008 17:54:44
mbam-log-2008-10-30 (17-54-44).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 316711
Time elapsed: 2 hour(s), 43 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Thanks for your help.
Here are the results. Nothing was found.
Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3
30.10.2008 17:54:44
mbam-log-2008-10-30 (17-54-44).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 316711
Time elapsed: 2 hour(s), 43 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hmm.....are you still experience issues with your computer?
yes, still the same problems.
And, I am positive something is wrong due to the slow internet connection.
Loading normal pages is taking ten times longer then they normally do.
thanks.
And, I am positive something is wrong due to the slow internet connection.
Loading normal pages is taking ten times longer then they normally do.
thanks.
Hey screaminjoe, sorry for the delay here. There have been a few changes in the lineup, and I'll help you from here.
Do me a favor, restate the problems as of today. I think that we might move this topic to another area if you still need help.
Sorry for the confusion, and the delays.
Harry
Do me a favor, restate the problems as of today. I think that we might move this topic to another area if you still need help.
Sorry for the confusion, and the delays.
Harry
Hi Harry,
Thanks for your reply.
I am still having a problem and still believe that it is a virus affecting my computer, even though all scans I have run thus far haven't found much.
Thanks very much for your help.
All info is below as it stands now.
Ever since clicking on a facebook link (which I was tricked into clicking on) my internet connection has been extremely slow.
I have a hi speed internet connection, but now, all internet pages take very long to load.
spybot s&d & ad aware hasn't found anything. Malwarebytes' Anti-Malware 1.30 found nothing.
superantispyware found the problems listed below, but now scans clean, even though the problem still exists.
Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265565.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265566.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265567.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265568.EXE
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW20.EXE
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW24.EXE
C:\WINDOWS\SYSTEM32\SW20.EXE
C:\WINDOWS\SYSTEM32\SW24.EXE
Uniblue's spyeraser found the following malware problems:
Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\:range\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\05p.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\1987324.com\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\elitemediagroup.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\flingstone.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\master69.biz\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\neededware.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchbarcash.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\sgrunt.biz\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\
Thanks for your reply.
I am still having a problem and still believe that it is a virus affecting my computer, even though all scans I have run thus far haven't found much.
Thanks very much for your help.
All info is below as it stands now.
Ever since clicking on a facebook link (which I was tricked into clicking on) my internet connection has been extremely slow.
I have a hi speed internet connection, but now, all internet pages take very long to load.
spybot s&d & ad aware hasn't found anything. Malwarebytes' Anti-Malware 1.30 found nothing.
superantispyware found the problems listed below, but now scans clean, even though the problem still exists.
Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265565.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265566.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265567.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9CD5FEA2-0030-4966-A205-AA651F5168F1}\RP827\A0265568.EXE
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW20.EXE
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0020\DRIVERFILES\SW24.EXE
C:\WINDOWS\SYSTEM32\SW20.EXE
C:\WINDOWS\SYSTEM32\SW24.EXE
Uniblue's spyeraser found the following malware problems:
Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\:range\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\05p.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\1987324.com\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\clickspring.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\elitemediagroup.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\flingstone.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\master69.biz\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\neededware.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchbarcash.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\sgrunt.biz\www\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\awmdabest.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\crazywinnings.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\scoobidoo.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topconverting.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\domains\ysbweb.com\
Ok screaminjoe,
I am having this moved to another section of the forum
Follow these instructions:
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
I am having this moved to another section of the forum
Follow these instructions:
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Hi Harry,
Thanks again for your help.
Yes, as you will notice, this isn't the first time I have run combofix. You can probably make more light of this than I have been able to. If there is anything else from previous scans that you need please let me know. I hope this doesn't make things harder for you.
I am also including the quarantined text file log from previous runs here:
1996-01-11 22:00:00 A------- 24,576 C:\Qoobox\Quarantine\C\WINDOWS\system32\REGSVR32.DLL.vir
2008-10-28 15:20:13 A------- 702 C:\Qoobox\Quarantine\catchme.log
2008-10-28 16:23:38 A------- 5,826 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
----
ComboFix 08-11-03.06 - joe 2008-11-04 16:01:44.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1501 [GMT 1:00]
Running from: c:\documents and settings\joe\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.
2008-11-03 19:42 . 2008-11-03 19:42 <DIR> d-------- C:\SAV32CLI
2008-11-03 15:00 . 2008-11-03 15:00 50,968 --a------ c:\windows\system32\avgfwdx.dll
2008-11-03 15:00 . 2008-11-03 15:00 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2008-11-03 13:01 . 2008-11-03 13:01 1,928 --a------ c:\windows\system32\tmp.reg
2008-11-03 12:42 . 2008-11-03 19:40 <DIR> d-------- c:\program files\a-squared Free
2008-10-30 21:36 . 2008-11-03 19:50 <DIR> d-------- C:\MGtools
2008-10-30 21:36 . 2008-10-30 21:37 55,287 --a------ C:\MGlogs.zip
2008-10-30 21:36 . 2005-01-14 04:41 11,254 --a------ c:\windows\system32\locate.com
2008-10-30 21:09 . 2008-10-30 21:09 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-10-30 21:06 . 2008-10-30 21:06 <DIR> d-------- c:\windows\ERUNT
2008-10-30 21:01 . 2008-11-03 19:43 <DIR> d-------- C:\SDFix
2008-10-30 20:29 . 2008-10-30 20:30 1,238,055 --a------ C:\MGtools.exe
2008-10-30 20:15 . 2008-10-30 20:15 <DIR> d-------- c:\documents and settings\joe\Application Data\Grisoft
2008-10-30 20:14 . 2008-10-30 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-10-30 20:13 . 2008-10-30 20:13 <DIR> d-------- c:\program files\RogueRemover FREE
2008-10-30 13:04 . 2007-11-20 20:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-30 13:04 . 2008-10-30 13:04 <DIR> d-------- c:\documents and settings\Administrator
2008-10-29 16:00 . 2008-10-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\documents and settings\joe\Application Data\SUPERAntiSpyware.com
2008-10-29 14:51 . 2008-10-29 14:51 <DIR> d-------- c:\program files\Lavasoft
2008-10-29 14:51 . 2008-10-29 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-29 14:50 . 2008-10-29 15:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\joe\Application Data\Malwarebytes
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-28 15:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-28 15:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-28 14:56 . 2008-10-28 14:56 <DIR> d-------- c:\windows\SxsCaPendDel
2008-10-28 14:43 . 2008-10-28 14:43 <DIR> d-------- c:\program files\Trend Micro
2008-10-27 16:40 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb
2008-10-27 16:39 . 2008-10-27 16:42 <DIR> d-------- c:\windows\NV28003780.TMP
2008-10-24 09:55 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-19 21:09 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-19 21:09 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-19 21:09 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-19 21:09 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-19 21:09 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-19 21:09 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-09 13:13 . 2008-10-09 13:22 <DIR> d-------- C:\priska_old_comp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 15:04 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-04 14:48 221,600 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-04 14:48 18,835,488 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-03 10:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 10:47 --------- d-----w c:\program files\SpywareBlaster
2008-11-01 09:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-31 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 11:46 --------- d-----w c:\program files\Uniblue
2008-10-28 18:22 --------- d-----w c:\program files\XPcleanv5
2008-10-28 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2008-10-27 18:18 --------- d-----w c:\program files\CCleaner
2008-10-27 18:17 --------- d-----w c:\program files\Bonjour
2008-10-27 16:24 --------- d-----w c:\documents and settings\joe\Application Data\.BitTornado
2008-10-27 08:30 --------- d-----w c:\program files\ZKB Onba
2008-10-21 07:31 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-01 12:31 --------- d-----w c:\program files\Apple Software Update
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-01 07:00 15,045,028 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_49_19_full.dmp.zip
2008-09-01 06:59 12,541,135 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_48_50_full.dmp.zip
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-06-02 09:48 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-06-02 09:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-19 368640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-09-26 114688]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [2005-07-04 6828]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2008-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-08-20 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\joe\Application Data\Mozilla\Firefox\Profiles\akalo6vr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 16:04:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-04 16:06:25
ComboFix-quarantined-files.txt 2008-11-04 15:06:21
ComboFix2.txt 2008-10-30 21:19:05
ComboFix3.txt 2008-10-30 12:18:17
ComboFix4.txt 2008-10-28 20:19:13
ComboFix5.txt 2008-11-04 15:00:41
Pre-Run: 66'884'304'896 bytes free
Post-Run: 66,855,501,824 bytes free
159 --- E O F --- 2008-11-04 14:56:31
Thanks again for your help.
Yes, as you will notice, this isn't the first time I have run combofix. You can probably make more light of this than I have been able to. If there is anything else from previous scans that you need please let me know. I hope this doesn't make things harder for you.
I am also including the quarantined text file log from previous runs here:
1996-01-11 22:00:00 A------- 24,576 C:\Qoobox\Quarantine\C\WINDOWS\system32\REGSVR32.DLL.vir
2008-10-28 15:20:13 A------- 702 C:\Qoobox\Quarantine\catchme.log
2008-10-28 16:23:38 A------- 5,826 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-28 16:25:23 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
----
ComboFix 08-11-03.06 - joe 2008-11-04 16:01:44.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1501 [GMT 1:00]
Running from: c:\documents and settings\joe\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.
2008-11-03 19:42 . 2008-11-03 19:42 <DIR> d-------- C:\SAV32CLI
2008-11-03 15:00 . 2008-11-03 15:00 50,968 --a------ c:\windows\system32\avgfwdx.dll
2008-11-03 15:00 . 2008-11-03 15:00 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2008-11-03 13:01 . 2008-11-03 13:01 1,928 --a------ c:\windows\system32\tmp.reg
2008-11-03 12:42 . 2008-11-03 19:40 <DIR> d-------- c:\program files\a-squared Free
2008-10-30 21:36 . 2008-11-03 19:50 <DIR> d-------- C:\MGtools
2008-10-30 21:36 . 2008-10-30 21:37 55,287 --a------ C:\MGlogs.zip
2008-10-30 21:36 . 2005-01-14 04:41 11,254 --a------ c:\windows\system32\locate.com
2008-10-30 21:09 . 2008-10-30 21:09 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-10-30 21:06 . 2008-10-30 21:06 <DIR> d-------- c:\windows\ERUNT
2008-10-30 21:01 . 2008-11-03 19:43 <DIR> d-------- C:\SDFix
2008-10-30 20:29 . 2008-10-30 20:30 1,238,055 --a------ C:\MGtools.exe
2008-10-30 20:15 . 2008-10-30 20:15 <DIR> d-------- c:\documents and settings\joe\Application Data\Grisoft
2008-10-30 20:14 . 2008-10-30 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-10-30 20:13 . 2008-10-30 20:13 <DIR> d-------- c:\program files\RogueRemover FREE
2008-10-30 13:04 . 2007-11-20 20:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-30 13:04 . 2008-10-30 13:04 <DIR> d-------- c:\documents and settings\Administrator
2008-10-29 16:00 . 2008-10-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\documents and settings\joe\Application Data\SUPERAntiSpyware.com
2008-10-29 14:51 . 2008-10-29 14:51 <DIR> d-------- c:\program files\Lavasoft
2008-10-29 14:51 . 2008-10-29 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-29 14:50 . 2008-10-29 15:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\joe\Application Data\Malwarebytes
2008-10-28 15:01 . 2008-10-28 15:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-28 15:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-28 15:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-28 14:56 . 2008-10-28 14:56 <DIR> d-------- c:\windows\SxsCaPendDel
2008-10-28 14:43 . 2008-10-28 14:43 <DIR> d-------- c:\program files\Trend Micro
2008-10-27 16:40 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb
2008-10-27 16:39 . 2008-10-27 16:42 <DIR> d-------- c:\windows\NV28003780.TMP
2008-10-24 09:55 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-19 21:09 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-19 21:09 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-19 21:09 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-19 21:09 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-19 21:09 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-19 21:09 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-09 13:13 . 2008-10-09 13:22 <DIR> d-------- C:\priska_old_comp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 15:04 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-04 14:48 221,600 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-04 14:48 18,835,488 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-03 10:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 10:47 --------- d-----w c:\program files\SpywareBlaster
2008-11-01 09:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-31 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 11:46 --------- d-----w c:\program files\Uniblue
2008-10-28 18:22 --------- d-----w c:\program files\XPcleanv5
2008-10-28 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2008-10-27 18:18 --------- d-----w c:\program files\CCleaner
2008-10-27 18:17 --------- d-----w c:\program files\Bonjour
2008-10-27 16:24 --------- d-----w c:\documents and settings\joe\Application Data\.BitTornado
2008-10-27 08:30 --------- d-----w c:\program files\ZKB Onba
2008-10-21 07:31 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-01 12:31 --------- d-----w c:\program files\Apple Software Update
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-01 07:00 15,045,028 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_49_19_full.dmp.zip
2008-09-01 06:59 12,541,135 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_08_31_22_48_50_full.dmp.zip
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-06-02 09:48 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-06-02 09:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-19 368640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-09-26 114688]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-11-03 29208]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [2005-07-04 6828]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2008-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-08-20 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\joe\Application Data\Mozilla\Firefox\Profiles\akalo6vr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 16:04:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-04 16:06:25
ComboFix-quarantined-files.txt 2008-11-04 15:06:21
ComboFix2.txt 2008-10-30 21:19:05
ComboFix3.txt 2008-10-30 12:18:17
ComboFix4.txt 2008-10-28 20:19:13
ComboFix5.txt 2008-11-04 15:00:41
Pre-Run: 66'884'304'896 bytes free
Post-Run: 66,855,501,824 bytes free
159 --- E O F --- 2008-11-04 14:56:31
Hey screamin,
Do this:
Click Start > Run -then type in ComboFix /u (note the space before the/)
Hit enter and Combofix should remove itself.
Run ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.
Next, download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).
Lets see some results please
Do this:
Click Start > Run -then type in ComboFix /u (note the space before the/)
Hit enter and Combofix should remove itself.
Run ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.
- Double-click ATF-Cleaner.exe to run the program.
- Under Main "Select Files to Delete" choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt. - If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt. - Click Exit on the Main menu to close the program.
Next, download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).
Lets see some results please
Hi Harry,
Here are the results from the attached text doc.
Thanks again.
best,
screaminjoe
Here are the results from the attached text doc.
Thanks again.
best,
screaminjoe
Hey Joe,
sorry for the delay. Lets do this:
Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.
I will review the information when it comes back in.
Next, lets reset your hosts file:
Please download HostsXpert 4.2
Let me know how your speed is now, and any other problems
Harry
sorry for the delay. Lets do this:
Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.
CODE
[Registry - Non-Microsoft Only]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9ECB9560-04F9-4bbc-943D-298DDF1699E1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {BDF3E430-B101-42AD-A544-FADC6B084872} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\] > -> HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value does not exist or could not be read.]
YN -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\] > -> HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value does not exist or could not be read.]
YN -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> locate.com -> %SystemRoot%\System32\locate.com
NY -> SxsCaPendDel -> %SystemRoot%\SxsCaPendDel
[Files/Folders - Modified Within 30 days]
NY -> hosts.20081028-121605.backup -> %SystemRoot%\System32\drivers\etc\hosts.20081028-121605.backup
NY -> hosts.20081028-122814.backup -> %SystemRoot%\System32\drivers\etc\hosts.20081028-122814.backup
NY -> hosts.20081028-122917.backup -> %SystemRoot%\System32\drivers\etc\hosts.20081028-122917.backup
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9ECB9560-04F9-4bbc-943D-298DDF1699E1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {BDF3E430-B101-42AD-A544-FADC6B084872} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\] > -> HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value does not exist or could not be read.]
YN -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\] > -> HKEY_USERS\S-1-5-21-1177238915-861567501-682003330-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value does not exist or could not be read.]
YN -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> locate.com -> %SystemRoot%\System32\locate.com
NY -> SxsCaPendDel -> %SystemRoot%\SxsCaPendDel
[Files/Folders - Modified Within 30 days]
NY -> hosts.20081028-121605.backup -> %SystemRoot%\System32\drivers\etc\hosts.20081028-121605.backup
NY -> hosts.20081028-122814.backup -> %SystemRoot%\System32\drivers\etc\hosts.20081028-122814.backup
NY -> hosts.20081028-122917.backup -> %SystemRoot%\System32\drivers\etc\hosts.20081028-122917.backup
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.
I will review the information when it comes back in.
Next, lets reset your hosts file:
Please download HostsXpert 4.2
- Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
- Double-click HostsXpert.exe to run the program.
- Click "Restore MS Hosts File".
- Click OK at the confirmation box.
- Click "Make Read Only".
- Click the X to exit the program.
Let me know how your speed is now, and any other problems
Harry
HI Harry,
Thanks a lot. Here are the results of the fix:
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\locate.com moved successfully.
C:\WINDOWS\SxsCaPendDel folder moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\System32\drivers\etc\hosts.20081028-121605.backup moved successfully.
C:\WINDOWS\System32\drivers\etc\hosts.20081028-122814.backup moved successfully.
C:\WINDOWS\System32\drivers\etc\hosts.20081028-122917.backup moved successfully.
C:\WINDOWS\NV28003780.TMP folder deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11102008_134722
Will change the hosts now and report back.
best, screaminjoe
Thanks a lot. Here are the results of the fix:
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\locate.com moved successfully.
C:\WINDOWS\SxsCaPendDel folder moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\System32\drivers\etc\hosts.20081028-121605.backup moved successfully.
C:\WINDOWS\System32\drivers\etc\hosts.20081028-122814.backup moved successfully.
C:\WINDOWS\System32\drivers\etc\hosts.20081028-122917.backup moved successfully.
C:\WINDOWS\NV28003780.TMP folder deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11102008_134722
Will change the hosts now and report back.
best, screaminjoe
Hi Harry,
I have change the hosts files as you said, but still don't see any changes in the speed of my internet connection, unfortunately.
Sorry.
Thanks for your help and patience.
Best,
screaminjoe
I have change the hosts files as you said, but still don't see any changes in the speed of my internet connection, unfortunately.
Sorry.
Thanks for your help and patience.
Best,
screaminjoe
hi Harry,
don't understand how the results can be like they are considering how long it takes me to view a simple webpage.
Even to open this web simple web forum page here at bleepingcomputer.com takes almost a minute.
download: 5433 kb/s
upload: 525 kb/s
latency: 24 ms
< 50 km
thanks.
best, sj
don't understand how the results can be like they are considering how long it takes me to view a simple webpage.
Even to open this web simple web forum page here at bleepingcomputer.com takes almost a minute.
download: 5433 kb/s
upload: 525 kb/s
latency: 24 ms
< 50 km
thanks.
best, sj
Your upload is really slow, download seems OK.
Lets get a peek at the uninstall list again, see if we can clean some stuff out of there. We will use some tools built into HiJackThis to take a peek.
http://www.bleepingcomputer.com/tutorials/...l#HTStartupList
Use the instructions in that link to generate a startup list for me, post that here please. Right under the startup instructions you will find how to use: How to use the Process Manager. Start that up, and take a peek at whats running. If you can, copy that list and paste it here for me.
Lets get a peek at the uninstall list again, see if we can clean some stuff out of there. We will use some tools built into HiJackThis to take a peek.
http://www.bleepingcomputer.com/tutorials/...l#HTStartupList
Use the instructions in that link to generate a startup list for me, post that here please. Right under the startup instructions you will find how to use: How to use the Process Manager. Start that up, and take a peek at whats running. If you can, copy that list and paste it here for me.
Hi Harry,
Actually, the speeds shown on the test are consistent with what my provider and package claim. The hijack this startup log is below as requested.
Something else strange happened as well, and I thought I should mention it, as it might have something to do with my problem.
I have diskkeeper defrag, and tried to do a boot-time defrag, which I do every few months.
It was unable to do so because it "Couldn't open NTFS volume". the log from this is also below.
Thanks very much.
Joseph
-----
DISKEEPER LOG
-----
Diskeeper® NTFS Boot-Time Defragmenter Version 8.0 Build 149a 20030811
Copyright © 2003 Executive Software International, Inc.
Minimizing Paging File Fragments...
Folders -> MFT area...
Minimizing MFT Fragments...
Summary File Set To: D:\DIRCON_CDRIVE.TXT
Couldn't open NTFS volume; Most likely cause: couldn't get exclusive access
Diskeeper boot-time defragmentation cannot occur safely when another process
is accessing the volume, so the boot-time job requested will not run.
Try again later.
Error #EH at line 129 in FsSubs.cpp (AUTONTFS C: PAGE=MIN DIRS=MFTZ MFT=MIN LOG=d:\DirCon_cdrive.txt ) at file #0
Error #EF at line 1151 in NtfsSubs.cpp (AUTONTFS C: PAGE=MIN DIRS=MFTZ MFT=MIN LOG=d:\DirCon_cdrive.txt ) at file #0
Error #EF at line 7929 in OffNtfs.cpp (AUTONTFS C: PAGE=MIN DIRS=MFTZ MFT=MIN LOG=d:\DirCon_cdrive.txt ) at file #0
Failed to initialize for volume C: -- volume probably not mounted or is not NTFS
Exiting --
------
HIJACK THIS START LOG:
------
StartupList report, 12.11.2008, 14:34:05
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16735)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BOC-427 = C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
BitDefender Antiphishing Helper = "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
BDAgent = "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
WormRadar.com IESiteBlocker.NavFilter - (no file) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - (no file) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
Uniblue SpyEraser.job
--------------------------------------------------
Enumerating Download Program Files:
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1153948203322
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1153949687937
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 5'912 bytes
Report generated in 0.062 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Actually, the speeds shown on the test are consistent with what my provider and package claim. The hijack this startup log is below as requested.
Something else strange happened as well, and I thought I should mention it, as it might have something to do with my problem.
I have diskkeeper defrag, and tried to do a boot-time defrag, which I do every few months.
It was unable to do so because it "Couldn't open NTFS volume". the log from this is also below.
Thanks very much.
Joseph
-----
DISKEEPER LOG
-----
Diskeeper® NTFS Boot-Time Defragmenter Version 8.0 Build 149a 20030811
Copyright © 2003 Executive Software International, Inc.
Minimizing Paging File Fragments...
Folders -> MFT area...
Minimizing MFT Fragments...
Summary File Set To: D:\DIRCON_CDRIVE.TXT
Couldn't open NTFS volume; Most likely cause: couldn't get exclusive access
Diskeeper boot-time defragmentation cannot occur safely when another process
is accessing the volume, so the boot-time job requested will not run.
Try again later.
Error #EH at line 129 in FsSubs.cpp (AUTONTFS C: PAGE=MIN DIRS=MFTZ MFT=MIN LOG=d:\DirCon_cdrive.txt ) at file #0
Error #EF at line 1151 in NtfsSubs.cpp (AUTONTFS C: PAGE=MIN DIRS=MFTZ MFT=MIN LOG=d:\DirCon_cdrive.txt ) at file #0
Error #EF at line 7929 in OffNtfs.cpp (AUTONTFS C: PAGE=MIN DIRS=MFTZ MFT=MIN LOG=d:\DirCon_cdrive.txt ) at file #0
Failed to initialize for volume C: -- volume probably not mounted or is not NTFS
Exiting --
------
HIJACK THIS START LOG:
------
StartupList report, 12.11.2008, 14:34:05
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16735)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BOC-427 = C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
BitDefender Antiphishing Helper = "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
BDAgent = "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
WormRadar.com IESiteBlocker.NavFilter - (no file) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - (no file) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
Uniblue SpyEraser.job
--------------------------------------------------
Enumerating Download Program Files:
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1153948203322
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1153949687937
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 5'912 bytes
Report generated in 0.062 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi harry,
things are even worse now...
check the speed today and is:
download: 97 kb/s
upload: 76 kb/s
latency: 26 ms
thanks, best
joseph
ps. i just received a pm from someone that is having the same problem also from facebook it seems.
things are even worse now...
check the speed today and is:
download: 97 kb/s
upload: 76 kb/s
latency: 26 ms
thanks, best
joseph
ps. i just received a pm from someone that is having the same problem also from facebook it seems.
Ok Joe,
I must be missing something thats running there. Also, did you uninstall Combofix as asked?
Lets take a different look:
I must be missing something thats running there. Also, did you uninstall Combofix as asked?
Lets take a different look:
- Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
- Double click on RSIT.exe to run RSIT.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Hi Harry,
I had already de-installed combofix.
Ran the rsit as you said. The first time, two text files opened but my computer froze and had to restart. Now, only one file is opening log.txt I am pasting it below.
Thanks very much and have a nice weekend.
Best, screaminjoe
Logfile of random's system information tool 1.04 (written by random/random)
Run by joe at 2008-11-14 15:39:12
Microsoft Windows XP Professional Service Pack 3
System drive C: has 67 GB (28%) free of 238 GB
Total RAM: 2046 MB (73% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39:22, on 14.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\joe\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\joe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153948203322
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153949687937
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 8107 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll [2008-02-28 86016]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BOC-427"=C:\PROGRA~1\Comodo\CBOClean\BOC427.exe [2008-07-14 351480]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe [2007-10-09 61440]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe [2008-09-19 368640]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]
I had already de-installed combofix.
Ran the rsit as you said. The first time, two text files opened but my computer froze and had to restart. Now, only one file is opening log.txt I am pasting it below.
Thanks very much and have a nice weekend.
Best, screaminjoe
Logfile of random's system information tool 1.04 (written by random/random)
Run by joe at 2008-11-14 15:39:12
Microsoft Windows XP Professional Service Pack 3
System drive C: has 67 GB (28%) free of 238 GB
Total RAM: 2046 MB (73% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39:22, on 14.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\joe\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\joe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153948203322
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153949687937
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 8107 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll [2008-02-28 86016]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BOC-427"=C:\PROGRA~1\Comodo\CBOClean\BOC427.exe [2008-07-14 351480]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe [2007-10-09 61440]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe [2008-09-19 368640]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]
Hey Joe,
there are some remnants from Norton left on your machine, that still have active entries in the logs. Lets get rid of those first. Follow the instructions on this link to run the un-installer please.
http://service1.symantec.com/SUPPORT/tsgen...v=&osv_lvl=
Once done check your speeds, let me know. We will probably need to take some other steps but this is a start.
Harry
there are some remnants from Norton left on your machine, that still have active entries in the logs. Lets get rid of those first. Follow the instructions on this link to run the un-installer please.
http://service1.symantec.com/SUPPORT/tsgen...v=&osv_lvl=
Once done check your speeds, let me know. We will probably need to take some other steps but this is a start.
Harry
hi harry,
OK, I've removed the remnants from norton. funny, because i did de-install norton when I switched to bit defender.
this was before my problem occurred though, and as I suspected, there is no change in my internet speeds unfortunately.
thanks again,
sj
OK, I've removed the remnants from norton. funny, because i did de-install norton when I switched to bit defender.
this was before my problem occurred though, and as I suspected, there is no change in my internet speeds unfortunately.
thanks again,
sj
hi again harry,
I was just thinking. I still cannot run a boot time defragment. It is still telling me that diskkeeper "Couldn't open NTFS volume".
I did a disk check and there was no problem. Could this mean that there might be a root kit on my system that is accessing the c: volume first, which is why diskeeper cannot?
Just a thought.
I appreciate your help very much. Thanks again.
sj
I was just thinking. I still cannot run a boot time defragment. It is still telling me that diskkeeper "Couldn't open NTFS volume".
I did a disk check and there was no problem. Could this mean that there might be a root kit on my system that is accessing the c: volume first, which is why diskeeper cannot?
Just a thought.
I appreciate your help very much. Thanks again.
sj
Instructions sent via PM
Hi Harry,
For the first one:
TDSSserv not found
And the log for the dns check is:
DNS Check v0.1.0
Checking for Nonexistence Redirect
Generating nonexistent name: bftzlnzipobdbgtvqljk.com
Failed to resolve. -- OK!!
Checking for google.com redirection.
64.233.187.99: resolves to jc-in-f99.google.com -- OK!!
209.85.171.99: resolves to cg-in-f99.google.com -- OK!!
72.14.207.99: resolves to eh-in-f99.google.com -- OK!!
Checking for yahoo.com redirection.
206.190.60.37: resolves to w2.rc.vip.re4.yahoo.com -- OK!!
68.180.206.184: resolves to w2.rc.vip.sp1.yahoo.com -- OK!!
Checking for bleepingcomputer.com redirection.
208.43.87.2: resolves to www.bleepingcomputer.com -- OK!!
Checking for geekstogo.com redirection.
208.43.44.138: resolves to geek15.geekstogo.com -- OK!!
---
thanks,
sj
For the first one:
TDSSserv not found
And the log for the dns check is:
DNS Check v0.1.0
Checking for Nonexistence Redirect
Generating nonexistent name: bftzlnzipobdbgtvqljk.com
Failed to resolve. -- OK!!
Checking for google.com redirection.
64.233.187.99: resolves to jc-in-f99.google.com -- OK!!
209.85.171.99: resolves to cg-in-f99.google.com -- OK!!
72.14.207.99: resolves to eh-in-f99.google.com -- OK!!
Checking for yahoo.com redirection.
206.190.60.37: resolves to w2.rc.vip.re4.yahoo.com -- OK!!
68.180.206.184: resolves to w2.rc.vip.sp1.yahoo.com -- OK!!
Checking for bleepingcomputer.com redirection.
208.43.87.2: resolves to www.bleepingcomputer.com -- OK!!
Checking for geekstogo.com redirection.
208.43.44.138: resolves to geek15.geekstogo.com -- OK!!
---
thanks,
sj
Hey Joe,
Download THIS tool and click the button to allow it to run. This should remove any tools that might be leftover on the machine.
Next:
Please download ATF Cleaner by Atribune & save it to your desktop.
Next, run this scan:
Please go HERE to run Panda's TotalScan
I'll look that over when your finished
Download THIS tool and click the button to allow it to run. This should remove any tools that might be leftover on the machine.
Next:
Please download ATF Cleaner by Atribune & save it to your desktop.
- Double-click ATF-Cleaner.exe to run the program.
- Under Main "Select Files to Delete" choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt. - If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt. - Click Exit on the Main menu to close the program.
Next, run this scan:
Please go HERE to run Panda's TotalScan
- Select the bubble for Full scan
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- Then the scan will begin
- When the scan completes, click the Save button on the right of Scan details
- Save it to a convenient location. Post the contents of the TotalScan report
I'll look that over when your finished
Hi Harry,
Did everything as you suggested.
OTCleanit: completed
ATF cleander: completed
panda scan only had one option "scan now" which I did and it came back clean.
have a nice evening and thanks.
sj
Did everything as you suggested.
OTCleanit: completed
ATF cleander: completed
panda scan only had one option "scan now" which I did and it came back clean.
have a nice evening and thanks.
sj
Hi again harry,
something else I found.
after each reboot, when i scan with spyeraser, the following malware is found. It must be reinstalling on each reboot. maybe this has something to do with my problem?
Each time I have spyeraser delete the entries, and after each reboot, they're back. I tried downloading (after a reboot) cwshredder, because i thought this could be the problem, but it scans clean.
thanks for your help.
best, sj
---
log from spyeraser:
Status:Removed
Category: Malware (General)
Infected registry keys/values detected
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\05p.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\flingstone.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\neededware.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchbarcash.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
---
something else I found.
after each reboot, when i scan with spyeraser, the following malware is found. It must be reinstalling on each reboot. maybe this has something to do with my problem?
Each time I have spyeraser delete the entries, and after each reboot, they're back. I tried downloading (after a reboot) cwshredder, because i thought this could be the problem, but it scans clean.
thanks for your help.
best, sj
---
log from spyeraser:
Status:Removed
Category: Malware (General)
Infected registry keys/values detected
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\05p.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\blazefind.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\flingstone.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mt-download.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\neededware.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchbarcash.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmiracle.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\skoobidoo.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotch.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\slotchbar.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\windupdates.com\
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com\
---
hi harry,
just to update you. I had a look and found some info on the registry keys listed in my last post.
seems as though it is part of the virus Adware.CDT.
I followed the info on symantec's site for removal. found here:
http://www.symantec.com/security_response/...-99&tabid=3
let's see if they stay deleted this time.
i will keep you posted.
thanks and best,
sj
just to update you. I had a look and found some info on the registry keys listed in my last post.
seems as though it is part of the virus Adware.CDT.
I followed the info on symantec's site for removal. found here:
http://www.symantec.com/security_response/...-99&tabid=3
let's see if they stay deleted this time.
i will keep you posted.
thanks and best,
sj
unfortunately, the entries just keep reappearing, and I can't seem to figure out what remnants are causing them to be re-written each time.
best
sj
best
sj
Hey Joe, sorry to keep you hanging out like this, I really got backed up again.
Lets make a fix based on what they say at Symantec, give me a minute to script it.
Harry
Lets make a fix based on what they say at Symantec, give me a minute to script it.
Harry
Ok Joe,
The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.
Backing Up Your Registry
Next, lets remove the unwanted items.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).
NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system
Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Please reply back letting me know if it merged correctly.
Harry
The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.
Backing Up Your Registry
- Go Here and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.) - Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later) - Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup) - Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable). - Make sure that at least the first two check boxes are ticked
- Press OK
- Press YES to create the folder.
Next, lets remove the unwanted items.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).
CODE
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0]
"ppcimdnnnjbeahepfabjipfginloedkg egckak"=-
"goicfboogidikkejccmclpieicihhlpo ejemdn"=-
"goicfboogidikkejccmclpieicihhlpo bihgbp"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MinLevel"=-
"Safety Warning Level"=-
"Security_RunActiveXControls"=-
"Security_RunScripts"=-
"Trust Warning Level"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MinLevel"=-
"Safety Warning Level"=-
"Security_RunActiveXControls"=-
"Security_RunScripts"=-
"Trust Warning Level"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"2001"=-
"2004"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0]
"ppcimdnnnjbeahepfabjipfginloedkg egckak"=-
"goicfboogidikkejccmclpieicihhlpo ejemdn"=-
"goicfboogidikkejccmclpieicihhlpo bihgbp"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MinLevel"=-
"Safety Warning Level"=-
"Security_RunActiveXControls"=-
"Security_RunScripts"=-
"Trust Warning Level"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MinLevel"=-
"Safety Warning Level"=-
"Security_RunActiveXControls"=-
"Security_RunScripts"=-
"Trust Warning Level"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"2001"=-
"2004"=-
NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system
Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Please reply back letting me know if it merged correctly.
Harry
hi harry,
thanks very much for all your help over the past few weeks. About five minutes ago, after many internet searches, and my own trial & error, i finally found the main problem.
A file called vsserv.exe (from bitdefender) was hogging all of my cpu & internet resources. I have now lowered my bitdefender's settings and now, instantly, my internet speed is back to normal.
All this due to a virus program. I hope that at least this can help others if they encounter the same problem.
If there is anything I can do to help you, please let me know. I am very grateful for your help and the time you have invested.
best, screaminjoe
thanks very much for all your help over the past few weeks. About five minutes ago, after many internet searches, and my own trial & error, i finally found the main problem.
A file called vsserv.exe (from bitdefender) was hogging all of my cpu & internet resources. I have now lowered my bitdefender's settings and now, instantly, my internet speed is back to normal.
All this due to a virus program. I hope that at least this can help others if they encounter the same problem.
If there is anything I can do to help you, please let me know. I am very grateful for your help and the time you have invested.
best, screaminjoe
Glad to hear its resolved Joe
As this issue seems to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
For all others, if you have a similar issue please start a new topic.
Thanks for asking in BleepingComputer.com
As this issue seems to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
For all others, if you have a similar issue please start a new topic.
Thanks for asking in BleepingComputer.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.