Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with Downloader.Agent.awf and other malware


  • This topic is locked This topic is locked
16 replies to this topic

#1 NotACylon

NotACylon

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 21 February 2009 - 01:08 AM

I had posted a topic "Computer running slow, especially some websites" http://www.bleepingcomputer.com/forums/t/203301/computer-running-slow-especially-some-websites/ in the "Am I infected? What do I do?" forum and the last advice I got was to post here. In that post I was asked to run Malwarebytes' Anti-Malware and SUPERAntiSpyware. Then ran FindAWF.exe optins 1 and 2.
Right now, IE 6 can take several minutes to get into a heavier graphics website, will all of a sudden hang or slowly eat up memory when left open. I ran some tests in Safe Mode with Networking and works alright there.
Following instructions, I ran DDS:

DDS (Version 1.1.0) - NTFSx86
Run by James at 0:35:19.14 on Sat 02/21/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.447.61 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Belkin Bulldog Plus\UPS-Status.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Belkin Bulldog Plus\UPS-Service.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James\Local Settings\Application Data\eSupport.com\driveragent_616.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\explorer.exe
C:\Programs\Anti Virus\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = sas.ne2.attbb.net:8000
uInternet Settings,ProxyOverride = *.ne2.attbb.net;localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3919d72d-202d-4a06-965a-ea16b915531e} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {A72202FA-5BFC-4774-BB56-17BA7859FF96} - No File
TB: {75E006AB-7C6A-47B5-A2E4-7ABBB96FDC39} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [UPS-Status] c:\program files\belkin bulldog plus\UPS-Status.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colori~1.lnk - c:\program files\e-color\colorific\hgcctl95.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonnreg.lnk - c:\program files\e-color\registration\SonnReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\truein~1.lnk - c:\program files\e-color\true internet color\TICIcon.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-24 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-10-23 4224]
R1 Avg7RsXP;AVG7 Rezident Driver;c:\windows\system32\drivers\avg7rsxp.sys [2006-3-14 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-2-19 10760]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2009-1-15 55024]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S4 vsdatant;vsdatant; []

=============== Created Last 30 ================

2009-02-20 23:43 18,065,713 a------- c:\windows\sis_vga_xp_mb.zip
2009-02-19 19:56 21,505 a------- c:\windows\system32\digeste.dll
2009-02-19 19:56 21,505 a------- c:\documents and settings\james\svchost.exe
2009-02-19 12:13 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-19 12:13 1,409 a------- c:\windows\QTFont.for
2009-02-18 20:35 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-02-18 20:35 45,632 a------- c:\windows\system32\taskswitch.exe
2009-02-18 20:35 290,816 a------- c:\windows\system32\khooker.exe
2009-02-18 20:31 --d----- c:\program files\FindAWF
2009-02-16 17:53 552 a------- c:\windows\system32\d3d8caps.dat
2009-02-16 14:33 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-16 14:32 --d----- c:\program files\SUPERAntiSpyware
2009-02-16 14:32 --d----- c:\docume~1\james\applic~1\SUPERAntiSpyware.com
2009-02-16 14:16 50,688 a------- c:\program files\ATF-Cleaner.exe
2009-02-14 19:24 --d----- c:\program files\Picasa2
2009-02-11 00:53 --d----- c:\docume~1\james\applic~1\Malwarebytes
2009-02-11 00:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-11 00:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 00:53 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-11 00:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 22:26 --d----- c:\program files\PageDefrag
2009-02-02 13:40 --d----- c:\program files\Windows Installer Clean Up
2009-02-02 13:39 --d----- c:\program files\MSECACHE
2009-01-25 00:37 --d----- c:\program files\Coupons

==================== Find3M ====================

2009-02-16 21:44 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-02-16 21:44 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-02-11 15:41 0 a------- c:\program files\SpiesHistory.dat
2009-02-11 15:41 0 a------- c:\program files\IgnoreList.dat
2009-02-11 15:41 0 a------- c:\program files\Data2.dat
2009-02-11 15:41 0 a------- c:\program files\Data1.dat
2009-01-07 22:13 4,998,707 a------- c:\program files\flvplayer_setup.exe
2008-12-31 01:40 448,704 a------- c:\program files\biosagentplus_617.exe
2008-12-31 01:33 23,600 a------- c:\windows\system32\drivers\TVICHW32.SYS
2008-12-31 01:32 448,704 a------- c:\program files\driveragent_616.exe
2008-12-05 02:42 1,763 a------- c:\program files\ReadMe.txt
2008-12-05 02:41 7,173 a------- c:\program files\note.html
2008-10-19 17:24 1,654 a------- c:\program files\RSVP.ics
2008-08-05 12:40 1,236,992 a------- c:\program files\xSpywareBeGone.exe
2008-02-13 13:15 1,769,648 a------- c:\program files\sasetup.exe
2007-11-08 17:57 620,127 a------- c:\program files\framxpro.zip
2007-11-08 17:51 4,726,096 a------- c:\program files\AWCSetup.exe
2007-10-25 00:22 456 a------- c:\program files\note-sb.html
2007-10-24 20:45 467 a------- c:\program files\free-spywarebegone.html
2007-01-24 14:52 5,186,048 a------- c:\program files\WindowsDefender.msi
2003-11-11 16:34 29 a------- c:\program files\VS 2003 Key.txt
2003-06-03 14:43 723 a------- c:\program files\INSTALL.LOG

============= FINISH: 0:36:04.34 ===============

Attached Files


Edited by Orange Blossom, 21 February 2009 - 01:43 AM.
Activate topic link. ~ OB


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 21 February 2009 - 04:21 AM

Hi,

First of all, uninstall the version of AVG you're having and install the latest version AVG8
Perform a full scan with it and let it delete everything it is finding.

Then reboot.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 February 2009 - 01:10 AM

Thanks for the quick response.
I run AVG 7.5 because my OS is XP SP 1. AVG 8 requires SP 2. I was planning to upgrade, but wanted to solve problems I'm curently having first, in case I'm required to reinstall XP SP 1 from my CD to solve them. Having worked with Windows since Win 95, I know that installing a new SP can cause unexpected problems. Years back, I had this with an NT SP. I used to get automatic updates from Microsoft, only to have one patch cause a mess that took days to solve, so I don't do automatic updates.
Do you think it is best for me to do ComboFix first or install XP SP 2, then run AVG 8?

Side issue: Looking at the list of "It's not always malware: How to fix the top 10 Internet Explorer issues", under #7, it mentions to check for outdated video drivers, which I have. I downloaded latest drivers from motherboard manufacturer MSI. I did not install them, waiting until someone recommended to do so. However, AVG found the zip file with the drivers to have the Pakes.BRS trojan horse? Is AVG wrong?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 22 February 2009 - 04:53 AM

Hi,

I know that installing a new SP can cause unexpected problems.

Not installing a new SP can actually cause more problems since your Windows is unpatched and wideopen for infection.
Also SP updates do not only contain "security fixes" but other fixes as well, such as system improvements etc..

Don't install SP2 now, because when your computer is infected, then you may have problems. Also, we are already at SP3, so you have to install SP3 instead.

Anyway, disable your AVG for now and download and run Combofix and post the log in your next reply.

it mentions to check for outdated video drivers, which I have. I downloaded latest drivers from motherboard manufacturer MSI. I did not install them, waiting until someone recommended to do so. However, AVG found the zip file with the drivers to have the Pakes.BRS trojan horse? Is AVG wrong?

Don't update drivers etc yet. Let's deal with your malware related problem first. Also.. yes, it may be possible that the zipfiles you've downloaded are infected. This all depends where you have downloaded them from.
If you need to update your drivers, always get them from the manufacturers website and not anywhere else.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 February 2009 - 03:34 PM

Having SP2 or SP3 will help prevent infections etc.. My concern is that I develop software and some of my programs may have issues as might older programs I have. In the past (Win NT), I've had the system also not work fully after installing a SP. I know I have to deal with it, but want to isolate the process so if there are problems, I'll know its SP related.
The video drivers I got were from motherboard manufacturer MSI. The chipset is SiS 650.

Ran Combofix:
ComboFix 09-02-21.01 - James 2009-02-22 14:41:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.447.230 [GMT -5:00]
Running from: c:\program files\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\James\svchost.exe
c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\setup.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\_000102_.tmp.dll
c:\windows\system32\digeste.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-22 12:38 . 2009-02-22 12:38 2,924,943 -ra------ c:\program files\ComboFix.exe
2009-02-20 23:43 . 2009-02-20 23:43 18,065,713 --a------ c:\windows\sis_vga_xp_mb.zip
2009-02-19 12:13 . 2009-02-22 14:47 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-19 12:13 . 2009-02-22 14:44 1,409 --a------ c:\windows\QTFont.for
2009-02-18 20:35 . 2002-01-25 02:30 290,816 --a------ c:\windows\system32\khooker.exe
2009-02-18 20:35 . 2001-07-09 04:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-02-18 20:35 . 2002-03-19 16:30 45,632 --a------ c:\windows\system32\taskswitch.exe
2009-02-18 20:31 . 2009-02-19 01:08 <DIR> d-------- c:\program files\FindAWF
2009-02-16 17:53 . 2009-02-16 17:53 552 --a------ c:\windows\system32\d3d8caps.dat
2009-02-16 14:33 . 2009-02-16 14:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-16 14:32 . 2009-02-16 14:45 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-16 14:32 . 2009-02-16 14:32 <DIR> d-------- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
2009-02-16 14:16 . 2009-02-16 14:16 50,688 --a------ c:\program files\ATF-Cleaner.exe
2009-02-14 19:24 . 2009-02-14 19:25 <DIR> d-------- c:\program files\Picasa2
2009-02-11 00:53 . 2009-02-18 16:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 00:53 . 2009-02-11 00:53 <DIR> d-------- c:\documents and settings\James\Application Data\Malwarebytes
2009-02-11 00:53 . 2009-02-11 00:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-11 00:53 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 00:53 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 22:26 . 2009-02-09 22:27 <DIR> d-------- c:\program files\PageDefrag
2009-02-02 13:40 . 2009-02-02 13:40 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-02-02 13:39 . 2009-02-02 13:39 <DIR> d-------- c:\program files\MSECACHE
2009-01-25 00:37 . 2009-01-25 00:37 <DIR> d-------- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 17:36 --------- d-----w c:\program files\Trend Micro
2009-02-22 17:25 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7
2009-02-21 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect
2009-02-20 19:49 --------- d-----w c:\program files\Yahoo!
2009-02-20 19:41 --------- d-----w c:\program files\Google
2009-02-20 16:10 --------- d-----w c:\documents and settings\James\Application Data\AVG7
2009-02-19 22:18 --------- d-----w c:\program files\BackwardsBush
2009-02-19 06:01 --------- d-----w c:\program files\CCleaner
2009-02-19 01:35 --------- d-----w c:\program files\QuickTime
2009-02-19 01:35 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-02-18 06:13 --------- d-----w c:\documents and settings\James\Application Data\Yahoo!
2009-02-17 02:44 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-02-17 02:44 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-02-16 19:31 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-15 00:57 --------- d-----w c:\program files\del.icio.us
2009-02-15 00:18 --------- d-----w c:\program files\Western Digital
2009-02-13 17:51 --------- d-----w c:\documents and settings\James\Application Data\Skype
2009-02-11 20:41 0 ----a-w c:\program files\SpiesHistory.dat
2009-02-11 20:41 0 ----a-w c:\program files\IgnoreList.dat
2009-02-11 20:41 0 ----a-w c:\program files\Data2.dat
2009-02-11 20:41 0 ----a-w c:\program files\Data1.dat
2009-02-11 20:36 --------- d-----w c:\program files\Database
2009-02-11 18:56 --------- d-----w c:\program files\MediaMonkey
2009-02-11 06:09 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 02:38 --------- d-----w c:\program files\SpeedFan
2009-01-18 21:24 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-15 05:47 --------- d-----w c:\program files\IrfanView
2009-01-15 03:12 --------- d-----w c:\program files\Common Files\DELETE ME GMT
2009-01-14 18:14 --------- d-----w c:\program files\Speech Timer
2009-01-12 06:07 --------- d-----w c:\program files\FLV Player
2009-01-10 22:57 --------- d-----w c:\documents and settings\James\Application Data\U3
2009-01-08 03:13 4,998,707 ----a-w c:\program files\flvplayer_setup.exe
2009-01-01 05:00 --------- d-----w c:\program files\Belkin Bulldog Plus
2008-12-31 06:40 448,704 ----a-w c:\program files\biosagentplus_617.exe
2008-12-31 06:33 23,600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2008-12-31 06:32 448,704 ----a-w c:\program files\driveragent_616.exe
2008-12-29 19:23 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-29 19:23 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-24 22:10 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-24 22:10 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-05 07:42 1,763 ----a-w c:\program files\ReadMe.txt
2008-12-05 07:41 7,173 ----a-w c:\program files\note.html
2008-10-19 22:24 1,654 ----a-w c:\program files\RSVP.ics
2008-08-05 17:40 1,236,992 ----a-w c:\program files\xSpywareBeGone.exe
2008-02-13 18:15 1,769,648 ----a-w c:\program files\sasetup.exe
2007-11-08 22:57 620,127 ----a-w c:\program files\framxpro.zip
2007-11-08 22:51 4,726,096 ----a-w c:\program files\AWCSetup.exe
2007-10-25 05:22 456 ----a-w c:\program files\note-sb.html
2007-10-25 01:45 467 ----a-w c:\program files\free-spywarebegone.html
2007-01-24 19:52 5,186,048 ----a-w c:\program files\WindowsDefender.msi
2003-11-11 21:34 29 ----a-w c:\program files\VS 2003 Key.txt
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 63,712 2007-03-09 15:09:58 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
----a-w 63,712 2007-03-09 15:09:58 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

----a-w 40,048 2007-05-11 07:06:32 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 40,048 2007-05-11 07:06:32 c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 127,022 2002-12-10 22:54:04 c:\program files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE
----a-w 127,022 2002-12-10 22:54:04 c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

----a-w 416,256 2007-08-16 17:10:20 c:\program files\Grisoft\AVG7\bak\avgcc.exe
----a-w 590,848 2008-10-17 13:16:35 c:\program files\Grisoft\AVG7\avgcc.exe

----a-w 36,864 2005-11-08 14:35:36 c:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
----a-w 36,864 2005-11-08 14:35:36 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

----a-w 155,648 2002-12-10 23:32:12 c:\program files\Logitech\ImageStudio\bak\ISStart.exe
----a-w 155,648 2002-12-10 23:32:12 c:\program files\Logitech\ImageStudio\ISStart.exe

----a-w 61,440 2002-12-10 23:31:34 c:\program files\Logitech\ImageStudio\bak\LogiTray.exe
----a-w 61,440 2002-12-10 23:31:34 c:\program files\Logitech\ImageStudio\LogiTray.exe

----a-w 473,928 2005-11-15 17:12:14 c:\program files\Microsoft AntiSpyware\bak\gcasServ.exe
----a-w 473,928 2005-11-15 17:12:14 c:\program files\Microsoft AntiSpyware\gcasServ.exe

----a-w 77,824 2003-05-15 01:16:10 c:\program files\QuickTime\bak\qttask.exe
----a-w 77,824 2003-05-15 01:16:10 c:\program files\QuickTime\qttask.exe

----a-w 4,662,776 2006-12-01 02:49:04 c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 4,662,776 2006-12-01 02:49:04 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

----a-r 290,816 2002-01-25 07:30:48 c:\windows\system32\bak\khooker.exe
----a-w 290,816 2002-01-25 07:30:48 c:\windows\system32\khooker.exe

----a-w 155,648 2001-07-09 09:50:42 c:\windows\system32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 09:50:42 c:\windows\system32\NeroCheck.exe

----a-w 45,632 2002-03-19 21:30:00 c:\windows\system32\bak\taskswitch.exe
----a-w 45,632 2002-03-19 21:30:00 c:\windows\system32\taskswitch.exe

----a-w 63,712 2007-03-09 15:09:58 d:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
----a-w 63,712 2007-03-09 15:09:58 d:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

----a-w 40,048 2007-05-11 07:06:32 d:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 40,048 2007-05-11 07:06:32 d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 127,022 2002-12-10 22:54:04 d:\program files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE
----a-w 127,022 2002-12-10 22:54:04 d:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

----a-w 416,256 2007-08-16 17:10:20 d:\program files\Grisoft\AVG7\bak\avgcc.exe
----a-w 416,256 2007-08-16 17:10:20 d:\program files\Grisoft\AVG7\avgcc.exe

----a-w 36,864 2005-11-08 14:35:36 d:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
----a-w 36,864 2005-11-08 14:35:36 d:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

----a-w 155,648 2002-12-10 23:32:12 d:\program files\Logitech\ImageStudio\bak\ISStart.exe
----a-w 155,648 2002-12-10 23:32:12 d:\program files\Logitech\ImageStudio\ISStart.exe

----a-w 61,440 2002-12-10 23:31:34 d:\program files\Logitech\ImageStudio\bak\LogiTray.exe
----a-w 61,440 2002-12-10 23:31:34 d:\program files\Logitech\ImageStudio\LogiTray.exe

----a-w 473,928 2005-11-15 17:12:14 d:\program files\Microsoft AntiSpyware\bak\gcasServ.exe
----a-w 473,928 2005-11-15 17:12:14 d:\program files\Microsoft AntiSpyware\gcasServ.exe

----a-w 77,824 2003-05-15 01:16:10 d:\program files\QuickTime\bak\qttask.exe
----a-w 77,824 2003-05-15 01:16:10 d:\program files\QuickTime\qttask.exe

----a-w 4,662,776 2006-12-01 02:49:04 d:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 4,662,776 2006-12-01 02:49:04 d:\program files\Yahoo!\Messenger\YahooMessenger.exe

----a-r 290,816 2002-01-25 07:30:48 d:\windows\system32\bak\khooker.exe
----a-w 290,816 2002-01-25 07:30:48 d:\windows\system32\khooker.exe

----a-w 155,648 2001-07-09 09:50:42 d:\windows\system32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 09:50:42 d:\windows\system32\NeroCheck.exe

----a-w 45,632 2002-03-19 21:30:00 d:\windows\system32\bak\taskswitch.exe
----a-w 45,632 2002-03-19 21:30:00 d:\windows\system32\taskswitch.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2005-11-08 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UPS-Status"="c:\program files\Belkin Bulldog Plus\UPS-Status.exe" [2006-11-15 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-05-14 77824]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-14 1838592]
"WD Button Manager"="WDBtnMgr.exe" [2006-04-21 c:\windows\system32\WDBtnMgr.exe]
"SoundMan"="SOUNDMAN.EXE" [2002-08-02 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Colorific.lnk - c:\program files\E-Color\Colorific\hgcctl95.exe [2003-01-27 65536]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-11-08 196608]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-01-29 118784]
SonnReg.lnk - c:\program files\E-Color\Registration\SonnReg.exe [2003-01-27 118784]
True Internet Color Icon.lnk - c:\program files\E-Color\True Internet Color\TICIcon.exe [2003-01-27 221184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
Chkdsk BootExecute REG_MULTI_SZ autocheck autochk * /r\DosDevice\C:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S3 IUTRVU;IUTRVU;c:\docume~1\James\LOCALS~1\Temp\IUTRVU.exe --> c:\docume~1\James\LOCALS~1\Temp\IUTRVU.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 TDVMYSAJY;TDVMYSAJY;c:\docume~1\James\LOCALS~1\Temp\TDVMYSAJY.exe --> c:\docume~1\James\LOCALS~1\Temp\TDVMYSAJY.exe [?]
S3 TPNY;TPNY;c:\docume~1\James\LOCALS~1\Temp\TPNY.exe --> c:\docume~1\James\LOCALS~1\Temp\TPNY.exe [?]
S3 UQXRTPBMEI;UQXRTPBMEI;c:\docume~1\James\LOCALS~1\Temp\UQXRTPBMEI.exe --> c:\docume~1\James\LOCALS~1\Temp\UQXRTPBMEI.exe [?]
S3 YMIFDK;YMIFDK;c:\docume~1\James\LOCALS~1\Temp\YMIFDK.exe --> c:\docume~1\James\LOCALS~1\Temp\YMIFDK.exe [?]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3919d72d-202d-4a06-965a-ea16b915531e} - (no file)
WebBrowser-{A72202FA-5BFC-4774-BB56-17BA7859FF96} - (no file)
WebBrowser-{75E006AB-7C6A-47B5-A2E4-7ABBB96FDC39} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = sas.ne2.attbb.net:8000
uInternet Settings,ProxyOverride = *.ne2.attbb.net;localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: doginhispen.com
Trusted Zone: live.com\safety
Trusted Zone: whataboutadog.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://downloads.taxslayer.com/olf2003/netinstall001/disk1/setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 14:47:12
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\System32\ODBC32.dll
c:\windows\System32\msctfime.ime
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\SSSensor.dll

- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\MSVCRT40.dll
c:\windows\system32\MSVCIRT.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\pctspk.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Belkin Bulldog Plus\UPS-Service.exe
.
**************************************************************************
.
Completion time: 2009-02-22 14:57:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-22 19:57:27

Pre-Run: 21,218,820,096 bytes free
Post-Run: 21,220,261,888 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

276

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 22 February 2009 - 04:10 PM

Hi,

Having SP2 or SP3 will help prevent infections etc.. My concern is that I develop software and some of my programs may have issues as might older programs I have.

These are only service packs. It's won't change anything about older programs. It still stays XP.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\program files\xSpywareBeGone.exe
c:\program files\free-spywarebegone.html
AWF::
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE
c:\program files\Grisoft\AVG7\bak\avgcc.exe
c:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
c:\program files\Logitech\ImageStudio\bak\ISStart.exe
c:\program files\Logitech\ImageStudio\bak\LogiTray.exe
c:\program files\Microsoft AntiSpyware\bak\gcasServ.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
c:\windows\system32\bak\khooker.exe
c:\windows\system32\bak\NeroCheck.exe
c:\windows\system32\bak\taskswitch.exe
d:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
d:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
d:\program files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE
d:\program files\Grisoft\AVG7\bak\avgcc.exe
d:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
d:\program files\Logitech\ImageStudio\bak\ISStart.exe
d:\program files\Logitech\ImageStudio\bak\LogiTray.exe
d:\program files\Microsoft AntiSpyware\bak\gcasServ.exe
d:\program files\QuickTime\bak\qttask.exe
d:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
d:\windows\system32\bak\khooker.exe
d:\windows\system32\bak\NeroCheck.exe
d:\windows\system32\bak\taskswitch.exe
Driver::
IUTRVU
TDVMYSAJY
TPNY
UQXRTPBMEI
YMIFDK
Domains::


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 February 2009 - 06:30 PM

ComboFix rebooted automatically when I first ran it. Then I rebooted, but had a few issues. My login came up with Windows Explorer hung. I opened up another Windows Explorer window and killed the hung one and it works, but leaves explorer still running as a process. A windows icon appears and when I open it, it says it found 2 updates and wants to install them, but doesn't say what they are. Only offers option of Express Install vs Custom Install. Should I wait or choose Custom Install to find out what they are?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 22 February 2009 - 06:39 PM

Don't install any updates yet - post the log from Combofix first. It's located on your C:\ with the name Combofix.txt

The updates should be installed anyway... express install or custom.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 23 February 2009 - 01:33 AM

The concern I have with service packs and software that I wrote or custom software is that in the past (with NT) a new SP can cause programs not to work due to changes Microsoft makes that cause subtle timing changes or interface changes. They're better than they used to be in allowing software to be truly backwards compatible.
I got rid of Viewpoint foistware - found a good Yahoo! Answer - http://answers.yahoo.com/question/index?qi...30064657AAT8PH2
Combofix log using CFScript:
ComboFix 09-02-21.01 - James 2009-02-23 1:10:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.447.144 [GMT -5:00]
Running from: c:\program files\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\free-spywarebegone.html
c:\program files\xSpywareBeGone.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\free-spywarebegone.html
c:\program files\xSpywareBeGone.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IUTRVU
-------\Legacy_TDVMYSAJY
-------\Legacy_TPNY
-------\Legacy_UQXRTPBMEI
-------\Legacy_YMIFDK
-------\Service_IUTRVU
-------\Service_TDVMYSAJY
-------\Service_TPNY
-------\Service_UQXRTPBMEI
-------\Service_YMIFDK


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 16:25 . 2009-02-23 00:37 <DIR> d-------- c:\program files\ComboFix
2009-02-22 14:50 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-02-22 14:50 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-02-22 14:50 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-22 14:50 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-02-20 23:43 . 2009-02-20 23:43 18,065,713 --a------ c:\windows\sis_vga_xp_mb.zip
2009-02-19 12:13 . 2009-02-23 01:17 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-19 12:13 . 2009-02-23 01:13 1,409 --a------ c:\windows\QTFont.for
2009-02-18 20:35 . 2002-01-25 02:30 290,816 --a------ c:\windows\system32\khooker.exe
2009-02-18 20:35 . 2001-07-09 04:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-02-18 20:35 . 2002-03-19 16:30 45,632 --a------ c:\windows\system32\taskswitch.exe
2009-02-18 20:31 . 2009-02-19 01:08 <DIR> d-------- c:\program files\FindAWF
2009-02-16 17:53 . 2009-02-16 17:53 552 --a------ c:\windows\system32\d3d8caps.dat
2009-02-16 14:33 . 2009-02-16 14:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-16 14:32 . 2009-02-16 14:45 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-16 14:32 . 2009-02-16 14:32 <DIR> d-------- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
2009-02-16 14:16 . 2009-02-16 14:16 50,688 --a------ c:\program files\ATF-Cleaner.exe
2009-02-14 19:24 . 2009-02-14 19:25 <DIR> d-------- c:\program files\Picasa2
2009-02-11 00:53 . 2009-02-18 16:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 00:53 . 2009-02-11 00:53 <DIR> d-------- c:\documents and settings\James\Application Data\Malwarebytes
2009-02-11 00:53 . 2009-02-11 00:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-11 00:53 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 00:53 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 22:26 . 2009-02-09 22:27 <DIR> d-------- c:\program files\PageDefrag
2009-02-02 13:40 . 2009-02-02 13:40 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-02-02 13:39 . 2009-02-02 13:39 <DIR> d-------- c:\program files\MSECACHE
2009-01-25 00:37 . 2009-01-25 00:37 <DIR> d-------- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 06:17 --------- d-----w c:\program files\QuickTime
2009-02-23 06:17 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-02-23 05:43 --------- d-----w c:\program files\DELETE Viewpoint
2009-02-23 05:43 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-22 17:36 --------- d-----w c:\program files\Trend Micro
2009-02-22 17:25 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7
2009-02-21 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect
2009-02-20 19:49 --------- d-----w c:\program files\Yahoo!
2009-02-20 19:41 --------- d-----w c:\program files\Google
2009-02-20 16:10 --------- d-----w c:\documents and settings\James\Application Data\AVG7
2009-02-19 22:18 --------- d-----w c:\program files\BackwardsBush
2009-02-19 06:01 --------- d-----w c:\program files\CCleaner
2009-02-18 06:13 --------- d-----w c:\documents and settings\James\Application Data\Yahoo!
2009-02-17 02:44 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-02-17 02:44 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-02-16 19:31 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-15 00:57 --------- d-----w c:\program files\del.icio.us
2009-02-15 00:18 --------- d-----w c:\program files\Western Digital
2009-02-13 17:51 --------- d-----w c:\documents and settings\James\Application Data\Skype
2009-02-11 20:41 0 ----a-w c:\program files\SpiesHistory.dat
2009-02-11 20:41 0 ----a-w c:\program files\IgnoreList.dat
2009-02-11 20:41 0 ----a-w c:\program files\Data2.dat
2009-02-11 20:41 0 ----a-w c:\program files\Data1.dat
2009-02-11 20:36 --------- d-----w c:\program files\Database
2009-02-11 18:56 --------- d-----w c:\program files\MediaMonkey
2009-02-11 06:09 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 02:38 --------- d-----w c:\program files\SpeedFan
2009-01-18 21:24 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-15 05:47 --------- d-----w c:\program files\IrfanView
2009-01-15 03:12 --------- d-----w c:\program files\Common Files\DELETE ME GMT
2009-01-14 18:14 --------- d-----w c:\program files\Speech Timer
2009-01-12 06:07 --------- d-----w c:\program files\FLV Player
2009-01-10 22:57 --------- d-----w c:\documents and settings\James\Application Data\U3
2009-01-08 03:13 4,998,707 ----a-w c:\program files\flvplayer_setup.exe
2009-01-01 05:00 --------- d-----w c:\program files\Belkin Bulldog Plus
2008-12-31 06:40 448,704 ----a-w c:\program files\biosagentplus_617.exe
2008-12-31 06:33 23,600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2008-12-31 06:32 448,704 ----a-w c:\program files\driveragent_616.exe
2008-12-29 19:23 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-29 19:23 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-24 22:10 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-24 22:10 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-05 07:42 1,763 ----a-w c:\program files\ReadMe.txt
2008-12-05 07:41 7,173 ----a-w c:\program files\note.html
2008-10-19 22:24 1,654 ----a-w c:\program files\RSVP.ics
2008-02-13 18:15 1,769,648 ----a-w c:\program files\sasetup.exe
2007-11-08 22:57 620,127 ----a-w c:\program files\framxpro.zip
2007-11-08 22:51 4,726,096 ----a-w c:\program files\AWCSetup.exe
2007-10-25 05:22 456 ----a-w c:\program files\note-sb.html
2007-01-24 19:52 5,186,048 ----a-w c:\program files\WindowsDefender.msi
2003-11-11 21:34 29 ----a-w c:\program files\VS 2003 Key.txt
.

((((((((((((((((((((((((((((( SnapShot@2009-02-22_14.51.54.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-26 08:16:24 75,544 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 19:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2009-02-22 19:46:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-23 06:15:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-22 19:46:35 131,072 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-23 06:15:53 131,072 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-22 19:46:35 573,440 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 06:15:53 573,440 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-05-26 08:16:24 75,544 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2005-05-26 08:16:30 124,184 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2005-05-26 08:16:30 1,343,768 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2005-05-26 08:16:30 465,176 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2005-05-26 08:16:30 124,184 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2005-05-26 08:16:30 1,343,768 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2005-05-26 08:16:30 127,256 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 19:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2005-05-26 08:16:30 41,240 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2005-05-26 08:16:30 18,200 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2005-05-26 08:16:30 173,536 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 19:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2005-11-08 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UPS-Status"="c:\program files\Belkin Bulldog Plus\UPS-Status.exe" [2006-11-15 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-05-14 77824]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 416256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-14 1838592]
"WD Button Manager"="WDBtnMgr.exe" [2006-04-21 c:\windows\system32\WDBtnMgr.exe]
"SoundMan"="SOUNDMAN.EXE" [2002-08-02 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Colorific.lnk - c:\program files\E-Color\Colorific\hgcctl95.exe [2003-01-27 65536]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-11-08 196608]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-01-29 118784]
SonnReg.lnk - c:\program files\E-Color\Registration\SonnReg.exe [2003-01-27 118784]
True Internet Color Icon.lnk - c:\program files\E-Color\True Internet Color\TICIcon.exe [2003-01-27 221184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
Chkdsk BootExecute REG_MULTI_SZ autocheck autochk * /r\DosDevice\C:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = sas.ne2.attbb.net:8000
uInternet Settings,ProxyOverride = *.ne2.attbb.net;localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://downloads.taxslayer.com/olf2003/netinstall001/disk1/setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 01:17:12
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\System32\ODBC32.dll
c:\windows\System32\msctfime.ime
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\SSSensor.dll

- - - - - - - > 'lsass.exe'(640)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\pctspk.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Belkin Bulldog Plus\UPS-Service.exe
.
**************************************************************************
.
Completion time: 2009-02-23 1:22:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 06:22:02
ComboFix2.txt 2009-02-22 19:57:35

Pre-Run: 21,185,368,064 bytes free
Post-Run: 21,181,325,312 bytes free

249

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 23 February 2009 - 05:03 AM

Hi,

The concern I have with service packs and software that I wrote or custom software is that in the past (with NT) a new SP can cause programs not to work due to changes Microsoft makes that cause subtle timing changes or interface changes

No, SPs won't change anything about that. An SP contains mainly security fixes. You can't compare it with a new OS, for example Vista, because that could indeed interfere with older software.

Your log looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 23 February 2009 - 10:20 PM

Thanks for the help. Looks like Combofix got rid of some malware etc... Looks like it accidently changed the AVG Control Center(avgcc.exe) to an older version. I put back the newer version and now AVG is happy. I ran into this problem when I was advsied to run Find AWF Option 2 before I started this post, so knew how to handle it.
My system is still running slow, but is a little better. Whats next?
My comment about a service pack changing custom software, some that I developed, so that it may not run is because back in the days of Windows NT when our project went to a new SP, I ran into this problem. You're right in that a SP shouldn't affect this as would a new OS, like Vista.
Should I try to upgrade the video drivers I got from motherboard manufacturer MSI? The chipset is SiS 650. AVG said one of the files has the Pakes.BRS trojan horse and I can't find out anything about it. Looking at the list of "It's not always malware: How to fix the top 10 Internet Explorer issues", under #7, it mentions to check for outdated video drivers.
The 2 updates Microsoft wants to install are: updating the Background Intelligent Transfer Service (BITS) to v2.0 and updates WinHTTP and a permanent copy of Package Installer for Windows. The BITS is a new COM interface.
My system has 512MB and motherboard can support up to 1GB. It used to run faster and want to solve any slowness caused by software before considering upgrades.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 24 February 2009 - 04:57 AM

Hi,

If you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Then you can do the updates.

by the way, 512MB is not much nowadays. Also, the fact that it has only 512MB makes me think that this computer is already more than 3 years old. Keep in mind that older computers are slower after a period of time and there's nothing you can do about it.

For the drivers, if they are from the manufacturers website and AVG detects one of them as malicious, then it's most probably a false positive. In that case, send the file to AVG first so they can check it and fix the false positive.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 25 February 2009 - 06:04 PM

Those are good ideas on looking for things slowing down a PC. I ran PCPitstop and it had a few things to do. The one I was puzzled by is that it claimed my C: drive was fragmented. I did an analysis while in Safe Mode using XP Defragmentaion tool and it was okay, so not sure.
I'm stuck with the problem with my browser IE 6 running slower and it consumes memory much faster than it used to and holds on to and runs out in a days use. I've increased my Virtual Memory to 1GB, but only prolongs the problem happening as expected. Considering updating the outdated video drivers as AVG 7.5 now no longer reports them as having any trojan horse. AVG has been behaving strange in that it has asked to reboot after making automatic updates almost every day the past 2 weeks.
Tried to run the Secunia Software Inspector and it won't run for some reason. Under the Status it just says Loading Java Applet... and the browser window won't close. On the bottom right of the window is a "exception: java.lang.NullPointerException" message
After updating drivers, thinking I should reinstall IE 6 next?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 25 February 2009 - 06:21 PM

I suggest you start first with updating Windows including IE to IE7.

Then, if your browser is still slow, then check the add-ons you have installed. * Open Internet Explorer, click the Tools button in the menu > Manage Add-ons > Enable or Disable Add-ons
This will open a new Window with the Add-ons currently loaded into Internet Explorer (that option should be selected by default under "Show")
Now, it's a matter of trial and error what exact Add-on is causing this, so select the first Add-on there and under settings below, select the "disable" radio button. Click Ok below and close your Internet Explorer in order to accept the changes.
Then open your Internet Explorer again and look if you're still having the same problem, if so - then disable the next Add-on there... and so on, until you figured out which Add-on exactly is causing your problem.

In anyway, You may go everywhere and ask for help.. The first thing they will tell you is to update.
After all, I don't see the point in speeding up old software if you can get a free update that should improve anyway. :thumbup2:

Also, your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 26 February 2009 - 01:32 AM

I assume I can install the Java Runtime Environment and the 2 updates Microsoft wants to install now? Should I upgrade the video drivers first to see if this helps IE 6, then install IE 7 if not. Does IE 7 want XP SP 2, so would want to do XP SP 2 first? Wondering if I should reinstall XP SP 1 first.
Want to get system as fast as it can before memory upgrades, so I know if I can just increase to motherboards max of 1 GB SDRAM or have to get a new motherboard.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users