Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Top Toolbar Changes After Surfing/opening Multiple Windows For Some Time


  • This topic is locked This topic is locked
28 replies to this topic

#1 Bearnes

Bearnes

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 28 April 2008 - 08:07 PM

Hello,

I've scanned with nearly everything possible for virus', trojans, adware etc, including Kaspersky as mentioned in the Prep guide. My memory(computer's) seems to be ok- nothing is showing up that says otherwise.

After a certain amount of time browsing, the toolbar at the top of the pages in IE- it changes on it's own. It loses a bar, and I have to unlock the toolbars, and figure out how to get it back to the way I had it before. I'm always researching things, and I have a habit of opening multiple windows- usually as a "new tab". At some point while surfing, those tabs will say "connecting", but they never load. And that's when they start losing one of the bars in the toolbar.

I just ran Deckard's System Scanner, will post what's in it below. I didn't get the two windows thing as mentioned in the Prep guide, so I hope this will do:

Deckard's System Scanner v20071014.68
Run by Dutchunter on 2008-04-28 19:55:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Dutchunter.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:47 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Dutchunter\Desktop\dss.exe
C:\DOCUME~1\DUTCHU~1\Desktop\DUTCHU~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {58825A75-D57A-4F81-A4BE-126BD2248E96} - http://dew.a.content.maven.net/mvms/vfs/de...installerAX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187808145531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187808137359
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://www.contentpurity.com/xp/ScanFilexp.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7653 bytes

-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-28 17:40:55 0 d-------- C:\Program Files\Dziobas Rar Player
2008-04-28 12:19:00 641056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-28 12:16:02 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-27 23:07:01 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-27 23:06:59 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-03 18:25:06 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-31 08:24:02 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-28 12:18:05 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-11 17:29:08 0 d-------- C:\Program Files\The Cleaner Free
2008-04-09 18:24:14 0 d-------- C:\Documents and Settings\Dutchunter\Application Data\Adobe
2008-04-09 13:38:16 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 18:24:59 0 d-------- C:\Program Files\Coupons
2008-03-24 11:51:15 520192 --a------ C:\WINDOWS\system32\busybees_3042992.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-24 11:32:24 520192 --a------ C:\WINDOWS\system32\lavenderblooms_3120385.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-23 13:46:29 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-03-23 13:33:50 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-23 13:32:41 0 d-------- C:\Program Files\Panda Security
2008-03-23 10:52:50 0 d-------- C:\Program Files\Ace Utilities
2008-03-18 16:33:28 520192 --a------ C:\WINDOWS\system32\sillylilybunny_3120366.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-18 16:24:14 0 d-------- C:\Program Files\Magentic
2008-03-09 18:17:45 0 d-------- C:\Program Files\Trojan Remover
2008-03-09 18:15:58 0 d-------- C:\Documents and Settings\Dutchunter\Application Data\Simply Super Software
2008-03-09 13:27:28 0 d-------- C:\Program Files\3D Caveman Rocks Demo
2008-03-09 12:04:11 0 d-------- C:\Program Files\Alawar
2008-03-09 11:57:49 0 d-------- C:\Program Files\softnyx
2008-03-09 10:44:03 0 d-------- C:\Program Files\Absolute Blue
2008-03-09 10:40:01 0 d-------- C:\Program Files\Wik and the Fable of Souls
2008-03-09 10:37:39 0 d-------- C:\Program Files\Air Strike 2
2008-03-09 10:33:51 0 d-a------ C:\Program Files\Common Files
2008-03-09 10:32:45 0 d-------- C:\Program Files\E Games
2008-03-09 10:26:29 0 d-------- C:\Program Files\Shockwave.com
2008-03-09 10:26:13 70 --a------ C:\WINDOWS\popcinfo.dat
2008-03-09 10:24:45 0 d-------- C:\Program Files\Platypus
2008-03-09 10:23:05 0 d-------- C:\Program Files\Nstorm
2008-03-09 10:11:28 0 d-------- C:\Program Files\Alambik
2008-03-09 10:04:24 0 d-------- C:\Program Files\Swarm
2008-03-09 10:02:36 0 d-------- C:\Program Files\Activision
2008-03-09 09:48:40 0 d-------- C:\Program Files\Tanx
2008-03-09 00:57:13 0 d-------- C:\Program Files\TuneUp Utilities 2007
2008-03-09 00:44:05 0 d-------- C:\Program Files\Google
2008-03-08 17:25:39 0 d-------- C:\Program Files\SonicWallES
2008-03-08 13:13:19 0 d-------- C:\Program Files\STARWARS_TheBattleOfEndor_v21
2008-03-08 11:05:02 31 --ah----- C:\WINDOWS\uccspecc.sys
2008-03-06 21:28:50 0 d-------- C:\Documents and Settings\Dutchunter\Application Data\SUPERAntiSpyware.com
2008-03-06 21:28:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 10:33:39 0 d-------- C:\Program Files\RogueRemover PRO
2008-02-29 16:07:50 0 d-------- C:\Program Files\BitDefender
2008-02-29 11:50:24 0 d-------- C:\Program Files\Common Files\BitDefender
2008-02-28 22:48:26 0 d-------- C:\Documents and Settings\Dutchunter\Application Data\PrevxCSI
2008-02-28 21:55:34 0 d-------- C:\Program Files\Lavasoft
2008-02-01 23:14:07 141199 --a------ C:\WINDOWS\hpoins14.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
03/02/2007 05:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
03/02/2007 05:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/03/2008 06:25 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [04/03/2008 06:25 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 03:16 PM]
"nwiz"="nwiz.exe" [10/06/2003 03:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 05:59 AM C:\WINDOWS\BCMSMMSG.exe]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 04:10 AM C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 01:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 11/15/2007 11:10 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-04-28 19:56:35 ------------

BC AdBot (Login to Remove)

 


#2 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 05 May 2008 - 05:47 PM

I know it says not to bump...but at this point it can't hurt...I hope.

Would really like some feedback. Thanks

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 14 May 2008 - 03:11 PM

Hi

Your log's clean ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 15 May 2008 - 10:42 PM

Whew..thanks for the response. I just read this- will have time tomorrow to do everything you requested. Will post back then.

#5 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 17 May 2008 - 09:56 AM

Running that last one closed all my widows, which included the other information in a post I was making here :blink: Still have the Kaspersky one, which I'm assuming you also wanted- below. Will work on the other ones AFTER I post this :thumbsup:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 17, 2008 8:20:06 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/05/2008
Kaspersky Anti-Virus database records: 779981
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 214536
Number of viruses found: 4
Number of infected objects: 18
Number of suspicious objects: 2
Duration of the scan process: 03:06:40

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\194993bf2fb2fa6327e1274a3a282caa_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\8a03bbf69f7a641e710241d0dfb98686_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\908477e760201862dd3721658990e1ad_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\9796dbf705082f2b59fd40f42229860f_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\ab584db1a54461fe80dd4e1f1a87424b_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda943a859e61b55599d662c043fc7e8_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\db91e0f50eff5a50701f04352d0b2a0a_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\dedf78c5dc3679b897c620cd3050d22a_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Dutchunter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0007/data0005 Infected: not-a-virus:AdWare.Win32.MegaSearch.g skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0007 Infected: not-a-virus:AdWare.Win32.MegaSearch.g skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval.h skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0002 Infected: Trojan-Downloader.Win32.Keenval.h skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0005 Infected: Trojan.Win32.Keenval.a skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008 Infected: Trojan.Win32.Keenval.a skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe/Alawar_bundle.exe Infected: Trojan.Win32.Keenval.a skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe/Alawar_gamebar.exe Infected: Trojan.Win32.Keenval.a skipped
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe Gentee: infected - 8 skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0007/data0005 Infected: not-a-virus:AdWare.Win32.MegaSearch.g skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0007 Infected: not-a-virus:AdWare.Win32.MegaSearch.g skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval.h skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0002 Infected: Trojan-Downloader.Win32.Keenval.h skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0005 Infected: Trojan.Win32.Keenval.a skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe/Alawar_bundle.exe/data0008 Infected: Trojan.Win32.Keenval.a skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe/Alawar_bundle.exe Infected: Trojan.Win32.Keenval.a skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe/Alawar_gamebar.exe Infected: Trojan.Win32.Keenval.a skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP667\A0300035.exe Gentee: infected - 8 skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP683\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MRULZ.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{19309DBD-661F-41C7-A230-4F83B51D2615}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_14c.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT03e32.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03e36.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 17 May 2008 - 10:22 AM

Malwarebytes' Anti-Malware 1.12
Database version: 757

Scan type: Quick Scan
Objects scanned: 77461
Time elapsed: 14 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 17 May 2008 - 10:50 AM

I hope I did this right. I just ran the ComboFix w/out worrying about the other stuff on that page for now:

ComboFix 08-05-15.3 - Dutchunter 2008-05-17 10:27:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -5:00]
Running from: C:\Documents and Settings\Dutchunter\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dutchunter\Local Settings\Temporary Internet Files\pse_300_enu.exe
C:\Program Files\BulletProofSoft.com
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\Temp\fse
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-09 15:14 . 2008-01-01 23:49 102,364 --------- C:\WINDOWS\hpqins13.dat.temp
2008-05-09 15:03 . 2008-05-09 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\asunnygarden_3122092 dir
2008-05-09 15:03 . 2008-05-09 15:03 520,192 --a------ C:\WINDOWS\SYSTEM32\asunnygarden_3122092.scr
2008-05-05 21:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-05 21:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-04-29 11:38 . 2008-04-29 11:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\springbutterflies_3042993 dir
2008-04-29 11:38 . 2008-04-29 11:38 520,192 --a------ C:\WINDOWS\SYSTEM32\springbutterflies_3042993.scr
2008-04-28 17:40 . 2008-04-28 17:43 <DIR> d-------- C:\Program Files\Dziobas Rar Player
2008-04-28 12:19 . 2008-05-17 10:37 11,669,536 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-04-28 12:19 . 2008-05-16 13:10 120,980 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-04-27 23:07 . 2008-04-28 11:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-27 23:06 . 2008-04-27 23:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-27 22:56 . 2008-04-27 22:56 <DIR> d-------- C:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 17:35 --------- d-----w C:\Program Files\Enigma Software Group
2008-05-06 02:55 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 22:29 --------- d-----w C:\Program Files\The Cleaner Free
2008-04-05 23:24 --------- d-----w C:\Program Files\Coupons
2008-04-03 23:25 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-04-03 02:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-04-03 02:07 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-30 15:21 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-28 15:58 --------- d-----w C:\Documents and Settings\Bunny Nibbles\Application Data\HPAppData
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-24 16:51 520,192 ----a-w C:\WINDOWS\SYSTEM32\busybees_3042992.scr
2008-03-24 16:32 520,192 ----a-w C:\WINDOWS\SYSTEM32\lavenderblooms_3120385.scr
2008-03-23 18:46 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-03-23 18:33 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-23 18:32 --------- d-----w C:\Program Files\Panda Security
2008-03-23 15:52 --------- d-----w C:\Program Files\Ace Utilities
2008-03-21 17:35 --------- d-----w C:\Documents and Settings\Bunny Nibbles\Application Data\Malwarebytes
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-18 21:33 520,192 ----a-w C:\WINDOWS\SYSTEM32\sillylilybunny_3120366.scr
2008-03-18 21:24 --------- d-----w C:\Program Files\Magentic
2008-03-09 16:00 751,016 ----a-w C:\WINDOWS\SYSTEM32\Magentic Screensaver.scr
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2007-10-04 19:46 24,760 ----a-w C:\Documents and Settings\Dutchunter\Application Data\GDIPFONTCACHEV1.DAT
2004-11-14 18:11 560 ----a-w C:\Documents and Settings\Dutchunter\PCDOC.BAT
2004-05-02 22:16 457 ----a-w C:\Program Files\INSTALL.LOG
2002-12-31 03:03 1 ----a-w C:\Documents and Settings\Jonathan Kok\scrcfg.dat
2007-09-23 00:46 1,113 --sha-w C:\WINDOWS\SYSTEM32\mmf.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2006-05-31 00:56:58 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 80,896 2007-08-22 22:31:16 C:\Program Files\Hp\Digital Imaging\bin\bak\hpqSRMon.exe
----a-w 81,920 2008-03-13 14:34:28 C:\Program Files\Hp\Digital Imaging\bin\HpqSRmon.exe

----a-w 49,152 2007-03-12 03:34:40 C:\Program Files\Hp\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2007-03-12 03:34:40 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

----a-w 132,496 2007-09-25 07:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 8,192 2006-11-07 21:41:44 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-03 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-03 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 13:37 79224]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 09:34 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-12-14 12:24 263824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\kav\\kav7\\setup.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 USB10T2B;Linksys USB 10Base-T Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\USB10T2B.sys [2000-02-15 03:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 23:51:48 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BB8EBD71-BCD6-4719-BC7F-02A0A6C1E8B3}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 10:37:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 10:42:54
ComboFix-quarantined-files.txt 2008-05-17 15:42:49

Pre-Run: 78,055,493,632 bytes free
Post-Run: 78,640,107,520 bytes free

177 --- E O F --- 2008-05-16 18:09:47

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 18 May 2008 - 05:43 PM

Hi

I would have liked to see the first malbytes scan ... it would show what was removed, the new one just shows a clean scan ... never mind ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe

AWF::
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Is the problem any better ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 18 May 2008 - 07:10 PM

Prior to this it was still acting up. Will find out later if I notice any improvement. Here are the results from the last thing you asked for:


ComboFix 08-05-15.3 - Dutchunter 2008-05-18 18:52:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT -5:00]
Running from: C:\Documents and Settings\Dutchunter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dutchunter\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-09 15:14 . 2008-01-01 23:49 102,364 --------- C:\WINDOWS\hpqins13.dat.temp
2008-05-09 15:03 . 2008-05-09 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\asunnygarden_3122092 dir
2008-05-09 15:03 . 2008-05-09 15:03 520,192 --a------ C:\WINDOWS\SYSTEM32\asunnygarden_3122092.scr
2008-05-05 21:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-05 21:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-04-29 11:38 . 2008-04-29 11:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\springbutterflies_3042993 dir
2008-04-29 11:38 . 2008-04-29 11:38 520,192 --a------ C:\WINDOWS\SYSTEM32\springbutterflies_3042993.scr
2008-04-28 17:40 . 2008-04-28 17:43 <DIR> d-------- C:\Program Files\Dziobas Rar Player
2008-04-28 12:19 . 2008-05-18 18:58 12,642,336 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-04-28 12:19 . 2008-05-18 13:53 145,436 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-04-27 23:07 . 2008-04-28 11:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-27 23:06 . 2008-04-27 23:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-27 22:56 . 2008-04-27 22:56 <DIR> d-------- C:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 21:11 --------- d-----w C:\Program Files\Coupons
2008-05-09 17:35 --------- d-----w C:\Program Files\Enigma Software Group
2008-05-06 02:55 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 22:29 --------- d-----w C:\Program Files\The Cleaner Free
2008-04-03 23:25 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-04-03 02:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-04-03 02:07 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-30 15:21 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-28 15:58 --------- d-----w C:\Documents and Settings\Bunny Nibbles\Application Data\HPAppData
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-24 16:51 520,192 ----a-w C:\WINDOWS\SYSTEM32\busybees_3042992.scr
2008-03-24 16:32 520,192 ----a-w C:\WINDOWS\SYSTEM32\lavenderblooms_3120385.scr
2008-03-23 18:46 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-03-23 18:33 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-23 18:32 --------- d-----w C:\Program Files\Panda Security
2008-03-23 15:52 --------- d-----w C:\Program Files\Ace Utilities
2008-03-21 17:35 --------- d-----w C:\Documents and Settings\Bunny Nibbles\Application Data\Malwarebytes
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-18 21:33 520,192 ----a-w C:\WINDOWS\SYSTEM32\sillylilybunny_3120366.scr
2008-03-18 21:24 --------- d-----w C:\Program Files\Magentic
2008-03-09 16:00 751,016 ----a-w C:\WINDOWS\SYSTEM32\Magentic Screensaver.scr
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2007-10-04 19:46 24,760 ----a-w C:\Documents and Settings\Dutchunter\Application Data\GDIPFONTCACHEV1.DAT
2004-11-14 18:11 560 ----a-w C:\Documents and Settings\Dutchunter\PCDOC.BAT
2004-05-02 22:16 457 ----a-w C:\Program Files\INSTALL.LOG
2002-12-31 03:03 1 ----a-w C:\Documents and Settings\Jonathan Kok\scrcfg.dat
2007-09-23 00:46 1,113 --sha-w C:\WINDOWS\SYSTEM32\mmf.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_10.42.00.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 23:46:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 20:44:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 20:44:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_108.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2006-05-31 00:56:58 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 80,896 2007-08-22 22:31:16 C:\Program Files\Hp\Digital Imaging\bin\bak\hpqSRMon.exe
----a-w 81,920 2008-03-13 14:34:28 C:\Program Files\Hp\Digital Imaging\bin\HpqSRmon.exe

----a-w 49,152 2007-03-12 03:34:40 C:\Program Files\Hp\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2007-03-12 03:34:40 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

----a-w 132,496 2007-09-25 07:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-03 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-03 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-11-07 16:41 8192]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 13:37 79224]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 09:34 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-12-14 12:24 263824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\kav\\kav7\\setup.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 USB10T2B;Linksys USB 10Base-T Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\USB10T2B.sys [2000-02-15 03:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 02:27:36 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BB8EBD71-BCD6-4719-BC7F-02A0A6C1E8B3}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 18:58:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 19:05:04
ComboFix-quarantined-files.txt 2008-05-19 00:04:59
ComboFix2.txt 2008-05-17 15:42:56

Pre-Run: 79,567,384,576 bytes free
Post-Run: 79,587,872,768 bytes free

178 --- E O F --- 2008-05-16 18:09:47

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 19 May 2008 - 02:51 PM

Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Folder:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Folder::
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Hp\Digital Imaging\bin\bak
C:\Program Files\Hp\HP Software Update\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\WINDOWS\SYSTEM32\bak

AWF::
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

THEN ...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

THEN ...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

THEN ...

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ...

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

last ... run a new Kaspersky Online Scan & post the log ...

Don't forget to tell me if your problem is resolved ?

steam

Edited by steamwiz, 19 May 2008 - 02:52 PM.
correct spelling

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 19 May 2008 - 09:52 PM

Here's the combofix info, I may not get to the others until tomorrow(and btw, I really appreciate your taking the time to help!)


ComboFix 08-05-15.3 - Dutchunter 2008-05-19 21:36:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.267 [GMT -5:00]
Running from: C:\Documents and Settings\Dutchunter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dutchunter\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Hp\Digital Imaging\bin\bak
C:\Program Files\Hp\Digital Imaging\bin\bak\hpqSRMon.exe
C:\Program Files\Hp\HP Software Update\bak
C:\Program Files\Hp\HP Software Update\bak\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\bak
C:\WINDOWS\SYSTEM32\bak\ctfmon.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-09 15:14 . 2008-01-01 23:49 102,364 --------- C:\WINDOWS\hpqins13.dat.temp
2008-05-09 15:03 . 2008-05-09 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\asunnygarden_3122092 dir
2008-05-09 15:03 . 2008-05-09 15:03 520,192 --a------ C:\WINDOWS\SYSTEM32\asunnygarden_3122092.scr
2008-05-05 21:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-05 21:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-04-29 11:38 . 2008-04-29 11:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\springbutterflies_3042993 dir
2008-04-29 11:38 . 2008-04-29 11:38 520,192 --a------ C:\WINDOWS\SYSTEM32\springbutterflies_3042993.scr
2008-04-28 17:40 . 2008-04-28 17:43 <DIR> d-------- C:\Program Files\Dziobas Rar Player
2008-04-28 12:19 . 2008-05-19 21:42 13,326,368 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-04-28 12:19 . 2008-05-19 21:21 156,860 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-04-27 23:07 . 2008-04-28 11:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-27 23:06 . 2008-04-27 23:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-27 22:56 . 2008-04-27 22:56 <DIR> d-------- C:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 15:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-19 00:13 712,436 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-18 21:11 --------- d-----w C:\Program Files\Coupons
2008-05-09 17:35 --------- d-----w C:\Program Files\Enigma Software Group
2008-05-06 02:55 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 22:29 --------- d-----w C:\Program Files\The Cleaner Free
2008-04-03 23:25 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-04-03 02:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-04-03 02:07 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-30 15:21 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-28 15:58 --------- d-----w C:\Documents and Settings\Bunny Nibbles\Application Data\HPAppData
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-24 16:51 520,192 ----a-w C:\WINDOWS\SYSTEM32\busybees_3042992.scr
2008-03-24 16:32 520,192 ----a-w C:\WINDOWS\SYSTEM32\lavenderblooms_3120385.scr
2008-03-23 18:46 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-03-23 18:33 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-23 18:32 --------- d-----w C:\Program Files\Panda Security
2008-03-23 15:52 --------- d-----w C:\Program Files\Ace Utilities
2008-03-21 17:35 --------- d-----w C:\Documents and Settings\Bunny Nibbles\Application Data\Malwarebytes
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-18 21:33 520,192 ----a-w C:\WINDOWS\SYSTEM32\sillylilybunny_3120366.scr
2008-03-09 16:00 751,016 ----a-w C:\WINDOWS\SYSTEM32\Magentic Screensaver.scr
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2007-10-04 19:46 24,760 ----a-w C:\Documents and Settings\Dutchunter\Application Data\GDIPFONTCACHEV1.DAT
2004-11-14 18:11 560 ----a-w C:\Documents and Settings\Dutchunter\PCDOC.BAT
2004-05-02 22:16 457 ----a-w C:\Program Files\INSTALL.LOG
2002-12-31 03:03 1 ----a-w C:\Documents and Settings\Jonathan Kok\scrcfg.dat
2007-09-23 00:46 1,113 --sha-w C:\WINDOWS\SYSTEM32\mmf.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_10.42.00.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 23:46:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 02:22:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 15:42:24 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2008-03-29 18:45:49 1,146,232 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
+ 2008-05-15 23:24:43 1,152,888 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
- 2008-03-29 18:23:22 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
+ 2008-05-15 23:12:36 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
- 2008-03-29 18:26:52 26,944 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
+ 2008-05-15 23:13:26 26,944 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
- 2008-03-29 18:35:49 20,560 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
+ 2008-05-15 23:16:06 20,560 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
- 2008-03-29 18:35:21 94,544 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
+ 2008-05-15 23:18:33 94,416 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
- 2008-03-29 18:29:08 23,152 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
+ 2008-05-15 23:15:29 23,152 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
- 2008-03-29 18:31:34 75,856 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
+ 2008-05-15 23:20:32 78,416 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
- 2008-03-29 18:27:33 42,912 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
+ 2008-05-15 23:14:11 42,912 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
+ 2008-05-20 02:22:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_178.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-03 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-03 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-11-07 16:41 8192]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 18:19 79224]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 09:34 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-12-14 12:24 263824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\kav\\kav7\\setup.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 USB10T2B;Linksys USB 10Base-T Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\USB10T2B.sys [2000-02-15 03:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 15:38:44 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BB8EBD71-BCD6-4719-BC7F-02A0A6C1E8B3}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 21:41:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-19 21:48:53
ComboFix-quarantined-files.txt 2008-05-20 02:48:47
ComboFix2.txt 2008-05-19 00:05:06
ComboFix3.txt 2008-05-17 15:42:56

Pre-Run: 79,668,609,024 bytes free
Post-Run: 79,649,886,208 bytes free

192 --- E O F --- 2008-05-16 18:09:47

#12 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 19 May 2008 - 10:57 PM

Ok..I did the System Restore check and uncheck thing. Ran the CCleaner. Will get the latest Java tomorrow. It seems I have deleted or ? Java because of some trojan or virus or adaware program that keeps bringing it up as "bad" and to delete. It doesn't uninstall it, just deletes some file or something.

On if I've noticed any difference- prior to doing this latest combofix etc, no. It really hung up on me again just prior to coming here to see if there was another response. It seems if the computer is on long enough, and/or if I surf around long enough, it eventually acts up. I have a habit of opening new windows etc when researching and surfing- I don't know if that is what "builds up" or what.

Anyway...tomorrow sometime I'll do some more surfing for awhile and see what happens. Thanks

#13 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 20 May 2008 - 03:00 PM

Hi

Your Combofix log is clean now, I await your new KASPERSKY ONLINE SCANNER REPORT & an update on the problem :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#14 Bearnes

Bearnes
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 20 May 2008 - 09:15 PM

Too soon to tell if the problem has been resolved. Will definitely keep you updated though.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 9:12:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788663
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 158453
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 2
Duration of the scan process: 02:24:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\194993bf2fb2fa6327e1274a3a282caa_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\8a03bbf69f7a641e710241d0dfb98686_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\908477e760201862dd3721658990e1ad_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\9796dbf705082f2b59fd40f42229860f_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\ab584db1a54461fe80dd4e1f1a87424b_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda943a859e61b55599d662c043fc7e8_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\db91e0f50eff5a50701f04352d0b2a0a_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\dedf78c5dc3679b897c620cd3050d22a_4013e236-b2b6-4112-ae78-343a50596d10 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Dutchunter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Musicmatch\Jukebox\Portables.log Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\History\History.IE5\MSHist012008052020080521\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Temp\JET317.tmp Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Temp\~ROMFN_000006C4 Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dutchunter\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe/Alawar_bundle.exe/data0007/data0005 Infected: not-a-virus:AdWare.Win32.MegaSearch.g skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe/Alawar_bundle.exe/data0007 Infected: not-a-virus:AdWare.Win32.MegaSearch.g skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval.h skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0002 Infected: Trojan-Downloader.Win32.Keenval.h skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe/Alawar_bundle.exe/data0008/data0005 Infected: Trojan.Win32.Keenval.a skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe/Alawar_bundle.exe/data0008 Infected: Trojan.Win32.Keenval.a skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe/Alawar_bundle.exe Infected: Trojan.Win32.Keenval.a skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir/Alawar_gamebar.exe Infected: Trojan.Win32.Keenval.a skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dutchunter\Desktop\Trees\PharaohsArrows.exe.vir Gentee: infected - 8 skipped
C:\System Volume Information\_restore{BC0B715D-61AB-4EFA-8F2C-5AF8CF83265D}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MRULZ.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{037F9CEF-B144-4B59-8F93-8ADF73DEBC27}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_144.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT01fd1.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT027a9.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#15 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 21 May 2008 - 12:50 PM

HI

run spybot > click recovery > tick the following :-

Yazzle.zip
Yazzle.zip/Yazzle1281OinUninstaller.exe

then click purge selected items

There may be one or two entries, it should be obvious which I mean ...(you could tick everything & purge the lot if you want)

THEN ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

Run & post a new KASPERSKY ONLINE SCANNER REPORT ... I expect it to be clean this time :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users