Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundofix Removed By Avast! Computer Still Slow - Application Start Up Verrrry Slow. Help!


  • This topic is locked This topic is locked
27 replies to this topic

#1 southflgirl

southflgirl

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 19 May 2008 - 10:02 PM

:thumbsup: Can someone please help me analyse this log? It appears that I had the Virtumonde virus which spyboy detected and VundoFix virus (which Avast detected and removed as I reboot) since last Wednesday, May 14th, there was no system restore date available at the time so since then I've run Spybot, Spydoctor, Avast, cleaned out startup, removed useless programs, ran diskcleanup and defrag, xspy and still my applications (especially MoZILLA & INTERNET EXPLORER) are crawling at startup and I don't understand why?? I am trying to save all my files instead of reinstalling Windows XP. I would appreciate any help from people with knowledge of these log files.

thank you!!! thank you!!! so much for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:10 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\avast\aswUpdSv.exe
C:\Program Files\avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\avast\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\avast\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1.1\save.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\SHDOCVW.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: http://*.arise.com
O15 - Trusted Zone: http://support.willowcsn.com
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://photodirect.lifepics.com/net/Upload...PUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197258972703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197258962250
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {FDD6CEF8-3C6E-42E0-BC7B-D730085CFABC} (Jaxtr Outlook Importer) - http://www.jaxtr.com/user/activex/JaxtrOutlookImporter.CAB
O20 - Winlogon Notify: ssqpqrSL - ssqpqrSL.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\avast\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 8082 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 20 May 2008 - 11:28 PM

Hello southflgirl,

We need to create a Deckard's System Scanner (DSS) Log
Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.
Primary Mirror
Secondary Mirror

DSS will do the following:
1. Create a new System Restore point in Windows XP and Vista.
2. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
3. Check some important areas of your system and produce a report for an analyst to review.
4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

1. Close all applications and windows.
2. Double-click on dss.exe to run it and follow the prompts.

3. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
4. When the scan is complete, two text files will open in Notepad:
main.txt <-- Will be maximized
extra.txt <-- Will be minimized
5. If not, they both can be found in the C:\Deckard\System Scanner folder.
6. Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.

Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

In your next reply, I need to see the following reports:
DSS Main.txt
DSS Extra.txt

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 26 May 2008 - 06:12 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 26 May 2008 - 07:17 PM

topic reopened :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 southflgirl

southflgirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 27 May 2008 - 07:55 AM

I will complete the necessary steps and get back to you.. Thanks

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 27 May 2008 - 10:17 AM

OK, I will be here. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 southflgirl

southflgirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 27 May 2008 - 10:35 AM

here are the files you requested

Deckard's System Scanner v20071014.68
Run by gabriella on 2008-05-27 10:13:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as gabriella.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:25 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\avast\aswUpdSv.exe
C:\Program Files\avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\avast\ashDisp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\avast\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\gabriella\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GABRIE~1.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\avast\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1.1\save.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: http://*.arise.com
O15 - Trusted Zone: http://support.willowcsn.com
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://photodirect.lifepics.com/net/Upload...PUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197258972703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197258962250
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {FDD6CEF8-3C6E-42E0-BC7B-D730085CFABC} (Jaxtr Outlook Importer) - http://www.jaxtr.com/user/activex/JaxtrOutlookImporter.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: ssqpqrSL - ssqpqrSL.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\avast\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9382 bytes

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2100-02-23 15:35:34 768 --a----c- C:\Program Files\x73_lut.dat
2100-02-08 17:03:54 189000 --a----c- C:\Program Files\ACMonitor_X73.exe
2008-05-25 14:16:36 0 d-------- C:\Program Files\Adobe Media Player
2008-05-25 14:16:22 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-24 17:41:30 0 dr-h----- C:\Documents and Settings\gabriella\Recent
2008-05-22 16:55:55 0 d-------- C:\Documents and Settings\gabriella\Application Data\AT&T
2008-05-22 16:55:52 0 d-------- C:\Documents and Settings\All Users\Application Data\AT&T
2008-05-22 07:17:17 0 d-------- C:\Program Files\MSXML 6.0
2008-05-20 16:56:04 0 d-------- C:\Program Files\Lavasoft
2008-05-20 16:56:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 16:51:29 0 d-------- C:\Program Files\ADAWARE
2008-05-20 09:55:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 09:54:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 09:54:57 0 d-------- C:\Documents and Settings\gabriella\Application Data\SUPERAntiSpyware.com
2008-05-20 09:54:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 09:27:33 0 d-------- C:\Program Files\CCleaner
2008-05-20 09:24:15 262144 --a------ C:\Documents and Settings\Application Data\NTUSER.DAT
2008-05-20 09:19:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-20 07:30:13 0 d-------- C:\Program Files\Common Files\Java
2008-05-19 22:21:22 0 d-------- C:\VundoFix Backups
2008-05-19 20:13:26 0 d-------- C:\Program Files\neteagle
2008-05-19 20:02:57 0 d-------- C:\Program Files\xpy
2008-05-19 19:53:52 0 d-------- C:\Program Files\TCPOptimizer
2008-05-18 19:11:48 0 d-------- C:\Program Files\regcure
2008-05-18 15:57:35 0 d-------- C:\Program Files\WinASO
2008-05-17 09:22:57 0 d-------- C:\Program Files\regseeker
2008-05-16 22:25:53 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-16 15:47:40 0 d-------- C:\Program Files\Spyware Doctor
2008-05-16 15:47:40 0 d-------- C:\Documents and Settings\gabriella\Application Data\PC Tools
2008-05-15 17:30:20 0 d-------- C:\WINDOWS\Windows Update Setup Files
2008-05-15 06:52:46 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-14 22:25:25 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-05-14 17:39:50 0 d-------- C:\Documents and Settings\gabriella\Application Data\AVGTOOLBAR
2008-05-14 17:17:45 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-05-14 16:06:21 1239099 --ahs---- C:\WINDOWS\system32\suwadggh.ini2
2008-05-14 15:50:17 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>


-- Find3M Report ---------------------------------------------------------------

2008-05-25 14:16:47 0 d-------- C:\Documents and Settings\gabriella\Application Data\Adobe
2008-05-25 14:16:22 0 d-------- C:\Program Files\Common Files
2008-05-21 22:01:36 778 ---h----- C:\Documents and Settings\gabriella\Application Data\xpy.ini
2008-05-21 08:05:16 99965 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-05-21 08:05:11 7100 --a----c- C:\WINDOWS\mozver.dat
2008-05-20 16:41:22 0 d-------- C:\Documents and Settings\gabriella\Application Data\Lavasoft
2008-05-20 09:17:52 0 d-------- C:\Program Files\Citrix
2008-05-20 07:33:35 0 d-------- C:\Program Files\Java
2008-05-19 22:43:46 0 d-------- C:\Program Files\Trend Micro
2008-05-19 20:04:14 0 d-------- C:\Program Files\Messenger
2008-05-19 18:01:26 0 d-------- C:\Program Files\avast
2008-05-17 18:19:00 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-17 08:32:30 0 d-------- C:\Program Files\Windows NT
2008-05-14 22:25:25 0 d-------- C:\Program Files\Slide
2008-05-14 21:33:33 0 d-------- C:\Documents and Settings\gabriella\Application Data\Move Networks
2008-05-11 13:29:17 0 d-------- C:\Program Files\Windows Live Toolbar
2008-04-28 07:59:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-28 07:59:43 0 d-------- C:\Program Files\Google
2008-04-27 21:03:46 0 dr-h----- C:\Documents and Settings\gabriella\Application Data\yahoo!
2008-04-27 20:50:49 0 d-------- C:\Program Files\Macromedia
2008-04-27 20:50:22 0 d-------- C:\Program Files\Common Files\Macromedia
2008-04-27 20:50:15 0 d-------- C:\Documents and Settings\gabriella\Application Data\Macromedia
2008-04-27 20:13:33 0 d-------- C:\Program Files\Cisco Systems
2008-04-26 23:27:51 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-26 23:27:39 0 d-------- C:\Program Files\Common Files\Real
2008-04-22 20:06:31 0 d-------- C:\Program Files\Disney
2008-04-19 09:00:03 0 d-------- C:\Documents and Settings\gabriella\Application Data\Real
2008-04-18 16:41:30 0 d-------- C:\Program Files\directx
2008-04-18 16:40:45 0 d-------- C:\Program Files\Megaware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\avast\ashDisp.exe" [05/15/2008 07:19 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 03:16 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 05/20/2008 09:17 AM 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpqrSL]
ssqpqrSL.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hggdawus

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Education Management EDMC VPN Client 4.0.1.lnk]
backup=C:\WINDOWS\pss\Education Management EDMC VPN Client 4.0.1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FreePhone.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^xixx.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gabriella^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
backup=C:\WINDOWS\pss\Greetings Workshop Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gabriella^Start Menu^Programs^Startup^Slide.exe.lnk]
backup=C:\WINDOWS\pss\Slide.exe.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Radio@Netscape]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyZooka]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
TapiSrv TapiSrv
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-05-27 10:16:50 ------------

Attached Files


Edited by SifuMike, 27 May 2008 - 11:52 AM.
moved DSS file to post


#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 27 May 2008 - 12:16 PM

Hi southflgirl,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Avast Antivirus, Spyware Doctor and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable avast antivirus:  
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)


To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT 
It is a simple procedure that will only take a few moments of your time.
It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. Please do not attach it. :thumbsup:

Edited by SifuMike, 27 May 2008 - 12:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 southflgirl

southflgirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 27 May 2008 - 03:41 PM

Setup cannot continue because the version of Windows on your computer is newer than the version on the CD. :thumbsup: This the message I get when I'm trying to install the recovery console. I called Dell and there is no way around it they said.

#10 southflgirl

southflgirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 27 May 2008 - 04:56 PM

I was able to integrate service pack 2 files into my windows folder to complete the recovery console installation but the last step is to enter my product key for windows xp which I've misplaced so therefore I can't run the installation, I've contacted microsoft and dell and they don't keep track of product keys. :thumbsup:

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 27 May 2008 - 04:58 PM

Hi southflgirl,

Are you trying to use the Windows CD to install Recovery Console? :thumbsup:

You dont need the windows CD to install Recover Console.

From the how-to:

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:


Edited by SifuMike, 27 May 2008 - 05:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 southflgirl

southflgirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 27 May 2008 - 07:01 PM

Hi there, this is the log that came up, I followed all the instruction to install the recovery console but it states that it is not installed.



ComboFix 08-05-27.4 - gabriella 2008-05-27 18:39:56.1 - NTFSx86
Running from: C:\Documents and Settings\gabriella\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\gabriella\g2mdlhlpx.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nonmlclu.ini
C:\WINDOWS\system32\odhrkkqu.ini
C:\WINDOWS\system32\opmwpjxm.ini
C:\WINDOWS\system32\qmeynoxj.ini
C:\WINDOWS\system32\rybgplaf.ini
C:\WINDOWS\system32\suwadggh.ini
C:\WINDOWS\system32\suwadggh.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 16:54 . 2008-05-27 16:54 <DIR> d-------- C:\XPSP2
2008-05-27 15:25 . 2008-05-27 16:54 <DIR> d-------- C:\XPCD2
2008-05-27 15:24 . 2008-05-27 17:00 <DIR> d-------- C:\XPCD
2008-05-27 09:13 . 2008-05-27 09:13 <DIR> d-------- C:\Deckard
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-22 16:55 . 2008-05-22 16:55 <DIR> d-------- C:\Documents and Settings\gabriella\Application Data\AT&T
2008-05-22 16:55 . 2008-05-22 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AT&T
2008-05-22 07:17 . 2008-05-22 07:17 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-20 16:56 . 2008-05-20 16:56 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-20 16:56 . 2008-05-20 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 16:51 . 2008-05-20 16:54 <DIR> d-------- C:\Program Files\ADAWARE
2008-05-20 09:55 . 2008-05-20 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 09:54 . 2008-05-20 09:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 09:54 . 2008-05-20 16:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 09:54 . 2008-05-20 09:54 <DIR> d-------- C:\Documents and Settings\gabriella\Application Data\SUPERAntiSpyware.com
2008-05-20 09:27 . 2008-05-23 23:18 <DIR> d-------- C:\Program Files\CCleaner
2008-05-20 09:19 . 2008-05-20 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-20 09:17 . 2008-05-20 09:17 61,224 --a------ C:\Documents and Settings\gabriella\GoToAssistDownloadHelper.exe
2008-05-20 07:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-20 07:30 . 2008-05-20 07:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-19 22:21 . 2008-05-19 22:21 <DIR> d-------- C:\VundoFix Backups
2008-05-19 20:13 . 2008-05-20 16:42 <DIR> d-------- C:\Program Files\neteagle
2008-05-19 20:02 . 2008-05-23 23:18 <DIR> d-------- C:\Program Files\xpy
2008-05-19 19:53 . 2008-05-19 19:55 <DIR> d-------- C:\Program Files\TCPOptimizer
2008-05-19 17:19 . 2001-12-06 16:24 61,440 --a------ C:\WINDOWS\_detmp.2
2008-05-19 17:18 . 2005-12-21 19:37 1,215,232 --a------ C:\WINDOWS\_detmp.1
2008-05-18 19:11 . 2008-05-23 23:18 <DIR> d-------- C:\Program Files\regcure
2008-05-18 15:57 . 2008-05-19 16:36 <DIR> d-------- C:\Program Files\WinASO
2008-05-17 09:22 . 2008-05-17 09:23 <DIR> d-------- C:\Program Files\regseeker
2008-05-17 08:35 . 2001-08-17 12:20 334,208 --a--c--- C:\WINDOWS\system32\dllcache\ds1wdm.sys
2008-05-17 08:33 . 2002-09-03 12:27 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
2008-05-17 08:33 . 2002-09-03 12:28 780,885 --a--c--- C:\WINDOWS\system32\dllcache\chkrres.dll
2008-05-17 08:33 . 2002-09-03 12:57 753,236 --a--c--- C:\WINDOWS\system32\dllcache\rvseres.dll
2008-05-17 08:33 . 2002-09-03 12:27 82,501 --a--c--- C:\WINDOWS\system32\dllcache\bckg.dll
2008-05-17 08:33 . 2002-09-03 12:57 48,706 --a--c--- C:\WINDOWS\system32\dllcache\rvse.dll
2008-05-17 08:33 . 2002-09-03 12:27 42,577 --a--c--- C:\WINDOWS\system32\dllcache\bckgzm.exe
2008-05-17 08:33 . 2002-09-03 12:28 42,575 --a--c--- C:\WINDOWS\system32\dllcache\chkrzm.exe
2008-05-17 08:33 . 2002-09-03 12:57 42,574 --a--c--- C:\WINDOWS\system32\dllcache\rvsezm.exe
2008-05-17 08:33 . 2002-09-03 12:59 42,573 --a--c--- C:\WINDOWS\system32\dllcache\shvlzm.exe
2008-05-17 08:33 . 2002-09-03 12:28 40,515 --a--c--- C:\WINDOWS\system32\dllcache\chkr.dll
2008-05-17 08:31 . 2002-09-03 12:34 48,593 --a------ C:\WINDOWS\system32\hostmib.mib
2008-05-17 08:31 . 2002-09-03 12:27 16,617 --a------ C:\WINDOWS\system32\authserv.mib
2008-05-17 08:31 . 2002-09-03 12:26 15,597 --a------ C:\WINDOWS\system32\accserv.mib
2008-05-17 08:31 . 2002-09-03 12:30 4,597 --a------ C:\WINDOWS\system32\dhcp.mib
2008-05-16 22:37 . 2008-05-16 22:37 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-16 22:25 . 2008-05-16 22:25 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-16 15:47 . 2008-05-27 09:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-16 15:47 . 2008-05-16 15:47 <DIR> d-------- C:\Documents and Settings\gabriella\Application Data\PC Tools
2008-05-16 15:47 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-16 15:47 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-16 15:47 . 2008-05-26 20:51 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-16 15:47 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-05-15 06:52 . 2008-05-15 06:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-14 22:25 . 2008-05-14 22:25 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-14 17:40 . 2008-05-14 17:40 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys.install_backup
2008-05-14 17:40 . 2008-05-14 17:40 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys.install_backup
2008-05-14 17:40 . 2008-05-14 17:40 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.install_backup
2008-05-14 17:39 . 2008-05-14 22:24 <DIR> d-------- C:\Documents and Settings\gabriella\Application Data\AVGTOOLBAR
2008-05-14 17:17 . 2008-05-18 18:48 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-05-14 15:50 . 2008-05-16 14:50 160,256 --a------ C:\WINDOWS\system32\blackster.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-26 00:34 24,733 -c--a-w C:\WINDOWS\Fonts\wonton.zip
2008-05-27 19:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 22:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-21 12:05 99,965 ----a-w C:\WINDOWS\UninstallFirefox.exe
2008-05-20 20:41 --------- d-----w C:\Documents and Settings\gabriella\Application Data\Lavasoft
2008-05-20 13:17 --------- d-----w C:\Program Files\Citrix
2008-05-20 11:33 --------- d-----w C:\Program Files\Java
2008-05-20 02:43 --------- d-----w C:\Program Files\Trend Micro
2008-05-19 22:01 --------- d-----w C:\Program Files\avast
2008-05-19 20:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-15 02:34 102,664 -c--a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-15 02:25 --------- d-----w C:\Program Files\Slide
2008-05-15 01:33 --------- d-----w C:\Documents and Settings\gabriella\Application Data\Move Networks
2008-05-11 17:29 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-28 11:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 11:59 --------- d-----w C:\Program Files\Google
2008-04-28 01:03 --------- d--h--r C:\Documents and Settings\gabriella\Application Data\yahoo!
2008-04-28 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-28 00:50 --------- d-----w C:\Program Files\Macromedia
2008-04-28 00:50 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-04-28 00:13 --------- d-----w C:\Program Files\Cisco Systems
2008-04-27 03:27 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-27 03:27 --------- d-----w C:\Program Files\Common Files\Real
2008-04-23 00:06 --------- d-----w C:\Program Files\Disney
2008-04-18 20:41 --------- d-----w C:\Program Files\directx
2008-04-18 20:40 --------- d-----w C:\Program Files\Megaware
2006-09-05 00:21 1,681,072 -c--a-w C:\Program Files\KODAK EASYSHARE Gallery Upload Software, V2.0.exe
2005-05-10 23:52 189,000 -c--a-w C:\Program Files\ACMonitor_X73.exe
2001-07-26 21:58 47 -c--a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 -c--a-w C:\Program Files\OSLO3071b2.USB
2001-04-23 19:22 1,437 -c--a-w C:\Program Files\gtx73.ini
2001-02-22 14:54 768 -c--a-w C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 2008-05-20 09:17 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpqrSL]
ssqpqrSL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Education Management EDMC VPN Client 4.0.1.lnk]
backup=C:\WINDOWS\pss\Education Management EDMC VPN Client 4.0.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FreePhone.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^xixx.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^gabriella^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
backup=C:\WINDOWS\pss\Greetings Workshop Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^gabriella^Start Menu^Programs^Startup^Slide.exe.lnk]
backup=C:\WINDOWS\pss\Slide.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a--c--- 2002-04-03 02:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-04-10 15:14 1107848 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2003-10-06 15:16 5058560 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-30 22:46 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Radio@Netscape]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyZooka]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-13 12:43 1510640 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-26 23:26 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:*:Disabled:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
TapiSrv REG_MULTI_SZ TapiSrv
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2006-01-07 04:38:01 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1128396901.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-19 22:12:23 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-18 23:12:58 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-17 21:58:01 C:\WINDOWS\Tasks\Spyware Detector.job"
- C:\Program Files\SpywareDetector\SpywareDetector.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 18:48:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\avast\aswUpdSv.exe
C:\Program Files\avast\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\avast\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-05-27 18:56:49 - machine was rebooted [gabriella]
ComboFix-quarantined-files.txt 2008-05-27 22:56:45

Pre-Run: 30,905,966,592 bytes free
Post-Run: 30,894,100,480 bytes free

260 --- E O F --- 2008-05-22 11:17:18

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 27 May 2008 - 07:10 PM

Hi southflgirl,


Please try again. :thumbsup:

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System
If you have Windows Media Edition, you will need to download the XP Pro setup package.

Posted Image


Download the file  & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including Avast antivirus, Spybot Teatimer, and Spyware Doctor so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

Edited by SifuMike, 27 May 2008 - 07:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 southflgirl

southflgirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 27 May 2008 - 08:24 PM

yes I have followed the exact instructions twice however when I place the windows xp service pack 2 boot disk icon over the combofix icon it only prompts me to run combofix. The message does not come up about the recovery console being installed and I am making sure I am doing each step exactly as described in both yours and the how-to-use combofix steps.

???

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 AM

Posted 27 May 2008 - 08:50 PM

Hi southflgirl,

however when I place the windows xp service pack 2 boot disk icon over the combofix icon it only prompts me to run combofix. The message does not come up about the recovery console being installed and I am making sure I am doing each step exactly as described in both yours and the how-to-use combofix steps.


I think that the message about recovery console does not come up anymore.
Just drag and drop windows xp service pack 2 boot disk icon over the comboFix icon and let combofix run.

I can tell by looking at the ComboFix log if Recovery Console installed OK. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users