Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer with 3 users slow to bootup & slower to shutdown


  • This topic is locked This topic is locked
28 replies to this topic

#1 David S

David S

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 31 May 2009 - 09:38 PM

Hi,
Computer flashes from normal, to safe mode & then back to normal while booting up.
Some improvement after ccleaner, spybot S&D, & Malewarebytes.
Ccleaner registry function found a bunch of stuff. After reading up on registry stuff, I left it alone.
Computer has 3 users: one admin & 2 limited. One of the limited locks up the machine for a few minutes.
Cannot back up computer. XP backup does not see the external hard drive, explorer does.
There are other issues, these seem to be more pressing.
Please help. Below is the dds.txt and attached is the attach.txt file.
Thank you,
David


DDS (Ver_09-05-14.01) - NTFSx86
Run by Dave Stark at 20:10:20.84 on Sun 05/31/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.196 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090531-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CRW\shwicon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\IPFax\FaxMonitor.exe
C:\WINDOWS\vVX3000.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\AOL\1147485870\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave Stark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wwdb.com/login.aspx?ReturnUrl=%2fHome.aspx
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: CommuniKate Toolbar: {2ad46959-7ee4-47c3-b976-c0912755de1f} - c:\program files\ucietb\ucietb.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ShowIcon_The Company_CRW Series Driver v1.16e058] "c:\program files\crw\shwicon.exe" -t"the company\CRW Series Driver v1.16e058"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [FaxMonitor] c:\program files\ipfax\FaxMonitor.exe
mRun: [CloneCDElbyCDFL] "c:\program files\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [HostManager] c:\program files\common files\aol\1147485870\ee\AOLSoftware.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRunServices: [strtas] lockx.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm231
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\micros~2\office\1033\phdintl.dll/phdContext.htm
IE: Spell Check Options... - c:\program files\ucietb\Speller.dll/RUNOPTIONS.HTM
IE: Spell Check this page... - c:\program files\ucietb\Speller.dll/RUNSPELLER.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - c:\program files\ucietb\ucietb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: daddario.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: nvidia.com\www
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} - hxxp://www.evga.com/Support/SyScan/SyScan.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167063204312
DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - hxxp://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://c:\tempei4\ei40_\msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38181.6376041667
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-2-13 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-23 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-19 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-5-19 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-23 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-23 138680]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-2-13 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-23 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-23 352920]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2004-7-11 14095]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]

=============== Created Last 30 ================

2009-05-23 07:05 <DIR> --d----- c:\docume~1\davest~1\applic~1\Malwarebytes
2009-05-23 07:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-23 07:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 07:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-23 07:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-22 19:50 7,120 a------- c:\windows\wininit.ini
2009-05-22 18:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-22 18:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-19 06:26 <DIR> --d----- c:\program files\AskBarDis
2009-05-19 06:26 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-19 06:25 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-05-19 06:25 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-05-19 06:25 350,192 a------- c:\windows\system32\vsconfig.xml
2009-05-18 21:51 <DIR> --d----- c:\program files\Zone Labs
2009-05-18 21:51 <DIR> --d----- c:\windows\Internet Logs
2009-05-11 21:39 <DIR> --dsh--- C:\found.000

==================== Find3M ====================

2009-05-30 17:31 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-05-30 17:31 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2008-06-18 21:26 581,632 a------- c:\program files\convert.exe
2008-04-13 08:02 88,896 a------- c:\docume~1\davest~1\applic~1\GDIPFONTCACHEV1.DAT
2006-10-31 12:07 31,223 a------- c:\program files\nv4_disp.cat
2004-09-25 20:45 3,485,854 a------- c:\program files\InstantConverter.zip
2004-08-28 11:20 8,670 a------- c:\program files\INSTALL.LOG
2004-04-27 18:03 51,535 a------- c:\program files\licens32.txt
2003-10-15 10:30 1,747 a------- c:\program files\icbmftvc.lst
2003-08-15 13:39 527 a------- c:\program files\BL_Games.htm
2003-08-15 13:34 1,810 a------- c:\program files\testgame.htm
2003-01-06 15:41 1,457 a------- c:\program files\rvappstm.lst
2001-01-30 17:04 1,375 a------- c:\program files\aimalert.gif
2001-01-30 17:03 1,370 a------- c:\program files\stockalert.gif
2008-10-01 21:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 20:11:35.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:57 PM

Posted 01 June 2009 - 10:03 AM

Hi David ,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 02 June 2009 - 10:24 PM

Hi Farbar,

Thanks for your help.
Please see the attached combofix file.
Hope it makes sense to you!

Best Regards,
David

Attached Files

  • Attached File  log1.txt   14.06KB   7 downloads


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:57 PM

Posted 03 June 2009 - 01:16 AM

Well done :thumbup2:

Before looking it over seems ComboFix is run twice and I need to see the log of the first run. Please Copy and paste the log instead of attaching. Thank you:

Please go to start -> Run.
  • Copy and paste the bold line in the run-box and click OK: C:\Qoobox\ComboFix2.txt
  • A text file opens up, copy and paste the content to your reply.


#5 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 03 June 2009 - 05:30 AM

Yes, I messed up the first time.
BTW, what line(s) in the DDS info sent up the red flag?
Thanks,
David


ComboFix 09-06-01.03 - Dave Stark 06/02/2009 22:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.292 [GMT -4:00]
Running from: c:\documents and settings\Dave Stark\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090602-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\muzapp.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-05-31 22:25 . 2009-05-31 22:25 8854 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-05-31 22:25 . 2009-05-31 22:25 40960 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-05-31 22:25 . 2009-05-31 22:25 10134 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Malwarebytes
2009-05-23 11:05 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 11:05 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-22 22:17 . 2009-05-28 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 22:17 . 2009-05-22 22:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-19 10:26 . 2009-05-19 10:26 -------- d-----w- c:\program files\AskBarDis
2009-05-19 10:26 . 2009-05-19 10:26 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-05-19 10:25 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-05-19 10:25 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-05-19 10:25 . 2009-05-19 10:26 -------- d-----w- c:\windows\system32\ZoneLabs
2009-05-19 10:25 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-05-19 01:51 . 2009-05-19 01:51 -------- d-----w- c:\program files\Zone Labs
2009-05-19 01:51 . 2009-06-03 02:19 -------- d-----w- c:\windows\Internet Logs
2009-05-16 16:15 . 2009-05-16 16:15 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Yahoo!
2009-05-12 01:39 . 2009-05-12 01:39 -------- d-sh--w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 01:45 . 2007-06-08 21:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-30 21:31 . 2008-01-15 19:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-05-30 21:31 . 2008-01-15 04:00 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-05-28 21:12 . 2007-12-13 22:00 664 ----a-w- c:\documents and settings\Rebecca\Local Settings\Application Data\d3d9caps.tmp
2009-05-28 10:05 . 2009-05-21 10:10 1459871 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-05-21 22:17 . 2009-05-21 22:18 1398784 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-18 23:14 . 2004-11-06 02:44 -------- d-----w- c:\program files\Yahoo!
2009-05-18 23:12 . 2004-09-14 19:02 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Aim
2009-05-16 16:15 . 2007-04-07 14:19 -------- d-----w- c:\program files\Ccleaner
2009-05-15 02:18 . 2008-02-16 21:06 -------- d-----w- c:\documents and settings\Rebecca\Application Data\Nikon
2009-05-06 02:57 . 2008-07-13 23:21 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Skype
2009-05-06 01:57 . 2008-07-13 23:25 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\skypePM
2009-04-26 12:59 . 2009-04-26 12:59 -------- d-----w- c:\program files\Common Files\Logitech
2009-04-26 12:59 . 2004-02-13 20:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-20 21:44 . 2008-12-25 18:36 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\CameraWindowDC
2009-04-20 21:43 . 2008-12-25 18:23 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\ZoomBrowser EX
2009-04-02 23:27 . 2009-04-02 23:27 152576 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-09 09:19 . 2008-12-16 11:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-07-13 22:23 284160 ----a-w- c:\windows\system32\pdh.dll
2008-06-19 01:26 . 2008-06-19 01:26 581632 ----a-w- c:\program files\convert.exe
2006-10-31 16:07 . 2006-10-31 16:07 31223 ----a-w- c:\program files\nv4_disp.cat
2004-09-26 00:45 . 2004-09-26 00:45 3485854 ----a-w- c:\program files\InstantConverter.zip
2004-04-27 22:03 . 2004-08-28 15:20 51535 ----a-w- c:\program files\licens32.txt
2003-10-15 14:30 . 2004-08-28 15:20 1747 ----a-w- c:\program files\icbmftvc.lst
2003-08-15 17:39 . 2004-08-28 15:20 527 ----a-w- c:\program files\BL_Games.htm
2003-08-15 17:34 . 2004-08-28 15:20 1810 ----a-w- c:\program files\testgame.htm
2003-01-06 19:41 . 2004-08-28 15:20 1457 ----a-w- c:\program files\rvappstm.lst
2001-01-30 21:04 . 2004-08-28 15:20 1375 ----a-w- c:\program files\aimalert.gif
2001-01-30 21:03 . 2004-08-28 15:20 1370 ----a-w- c:\program files\stockalert.gif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 22:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ShowIcon_The Company_CRW Series Driver v1.16e058"="c:\program files\CRW\shwicon.exe" [2002-11-06 69632]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2002-09-12 1101824]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"FaxMonitor"="c:\program files\IPFax\FaxMonitor.exe" [2002-01-21 61440]
"CloneCDElbyCDFL"="c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 45056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"HostManager"="c:\program files\Common Files\AOL\1147485870\ee\AOLSoftware.exe" [2006-05-10 50760]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Rebecca\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-9-17 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-15 118784]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2004-7-18 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147485870\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147485870\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/13/2004 7:12 PM 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 6:43 AM 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/23/2008 7:31 AM 114768]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [5/19/2009 6:26 AM 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/23/2008 7:31 AM 20560]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/13/2004 7:12 PM 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 4:57 PM 6144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 1:55 PM 24652]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/11/2004 8:49 PM 14095]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-15 c:\windows\Tasks\HP DArC Task 2003-12-22 03:05ewlett-Packard2003-12-22 03:05p psc 1300 series9A58A86F12EB0B2AE9BFB4180B4FD9D5B2D22980076875768.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-12-22 12:38]

2009-06-03 c:\windows\Tasks\User_Feed_Synchronization-{E82C6E2F-CF91-4FB2-A539-E25936FB53A4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wwdb.com/login.aspx?ReturnUrl=%2fHome.aspx
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm231
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Spell Check Options... - c:\program files\ucietb\Speller.dll/RUNOPTIONS.HTM
IE: Spell Check this page... - c:\program files\ucietb\Speller.dll/RUNSPELLER.HTM
Trusted Zone: daddario.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: nvidia.com\www
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} - hxxp://www.evga.com/Support/SyScan/SyScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 22:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-436374069-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-06-03 22:27
ComboFix-quarantined-files.txt 2009-06-03 02:27

Pre-Run: 48,274,968,576 bytes free
Post-Run: 49,102,913,536 bytes free

192 --- E O F --- 2009-05-14 02:29

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:57 PM

Posted 03 June 2009 - 06:48 AM

Hi David,

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • Your version of ZoneAlarm Firewall comes with ZoneAlarm Spyblocker toolbar and this is not highly recommended. See here to find out why.

    I recommend you to uninstall ZoneAlarm Spyblocker toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    ZoneAlarm Spyblocker Toolbar

  • Close any open browsers.

    Open notepad (start => run => type Notepad and click OK) and copy/paste the text in the code box below into it:

    Driver::
    ASKService
    Folder::
    c:\program files\AskBarDis
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    DDS::
    IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm231
    Trusted Zone: daddario.com
    Trusted Zone: nvidia.com\www
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Open your Malwarebytes' Anti-Malware, first update it using update tap, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Tell me how is your computer running.


#7 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 03 June 2009 - 10:48 PM

Hi Farbar,

Below is the info you asked for:

You also mentioned file sharing programs.
Besides Limewire (I removed it but there are still extra folders and files) is there another on this computer?
Removed the zone alarm tool bar and Viewpoint. The only viewpoint file left is in the prefetch folder.
The internet is definately faster. I'll let you know about other programs tomorrow night.

Thanks again!
David

ComboFix 09-06-01.03 - Dave Stark 06/03/2009 23:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.191 [GMT -4:00]
Running from: c:\documents and settings\Dave Stark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave Stark\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090603-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\AskService.exe
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Cache\00048B54
c:\program files\AskBarDis\bar\Cache\00048D29
c:\program files\AskBarDis\bar\Cache\00048E42.bin
c:\program files\AskBarDis\bar\Cache\00048F2C.bin
c:\program files\AskBarDis\bar\Cache\00048FB9.bin
c:\program files\AskBarDis\bar\Cache\00049075.bin
c:\program files\AskBarDis\bar\Cache\0004914F.bin
c:\program files\AskBarDis\bar\Cache\000491CC.bin
c:\program files\AskBarDis\bar\Cache\0004923A.bin
c:\program files\AskBarDis\bar\Cache\000492B7.bin
c:\program files\AskBarDis\bar\Cache\00049314.bin
c:\program files\AskBarDis\bar\Cache\000493B1.bin
c:\program files\AskBarDis\bar\Cache\files.ini
c:\program files\AskBarDis\bar\History\search
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\bar\Settings\prevcfg.htm
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\program files\AskBarDis\zonealarm.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKSERVICE
-------\Service_ASKService


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-05-31 22:25 . 2009-05-31 22:25 8854 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-05-31 22:25 . 2009-05-31 22:25 40960 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-05-31 22:25 . 2009-05-31 22:25 10134 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Malwarebytes
2009-05-23 11:05 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 11:05 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-22 22:17 . 2009-05-28 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 22:17 . 2009-05-22 22:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-19 10:26 . 2009-05-19 10:26 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-05-19 10:25 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-05-19 10:25 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-05-19 10:25 . 2009-05-19 10:26 -------- d-----w- c:\windows\system32\ZoneLabs
2009-05-19 10:25 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-05-19 01:51 . 2009-05-19 01:51 -------- d-----w- c:\program files\Zone Labs
2009-05-19 01:51 . 2009-06-04 03:03 -------- d-----w- c:\windows\Internet Logs
2009-05-16 16:15 . 2009-05-16 16:15 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Yahoo!
2009-05-12 01:39 . 2009-05-12 01:39 -------- d-sh--w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 01:45 . 2007-06-08 21:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-30 21:31 . 2008-01-15 19:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-05-30 21:31 . 2008-01-15 04:00 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-05-28 21:12 . 2007-12-13 22:00 664 ----a-w- c:\documents and settings\Rebecca\Local Settings\Application Data\d3d9caps.tmp
2009-05-28 10:05 . 2009-05-21 10:10 1459871 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-05-21 22:17 . 2009-05-21 22:18 1398784 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-18 23:14 . 2004-11-06 02:44 -------- d-----w- c:\program files\Yahoo!
2009-05-18 23:12 . 2004-09-14 19:02 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Aim
2009-05-16 16:15 . 2007-04-07 14:19 -------- d-----w- c:\program files\Ccleaner
2009-05-15 02:18 . 2008-02-16 21:06 -------- d-----w- c:\documents and settings\Rebecca\Application Data\Nikon
2009-05-06 02:57 . 2008-07-13 23:21 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Skype
2009-05-06 01:57 . 2008-07-13 23:25 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\skypePM
2009-04-26 12:59 . 2009-04-26 12:59 -------- d-----w- c:\program files\Common Files\Logitech
2009-04-26 12:59 . 2004-02-13 20:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-20 21:44 . 2008-12-25 18:36 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\CameraWindowDC
2009-04-20 21:43 . 2008-12-25 18:23 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\ZoomBrowser EX
2009-04-02 23:27 . 2009-04-02 23:27 152576 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-09 09:19 . 2008-12-16 11:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-07-13 22:23 284160 ----a-w- c:\windows\system32\pdh.dll
2008-06-19 01:26 . 2008-06-19 01:26 581632 ----a-w- c:\program files\convert.exe
2006-10-31 16:07 . 2006-10-31 16:07 31223 ----a-w- c:\program files\nv4_disp.cat
2004-09-26 00:45 . 2004-09-26 00:45 3485854 ----a-w- c:\program files\InstantConverter.zip
2004-04-27 22:03 . 2004-08-28 15:20 51535 ----a-w- c:\program files\licens32.txt
2003-10-15 14:30 . 2004-08-28 15:20 1747 ----a-w- c:\program files\icbmftvc.lst
2003-08-15 17:39 . 2004-08-28 15:20 527 ----a-w- c:\program files\BL_Games.htm
2003-08-15 17:34 . 2004-08-28 15:20 1810 ----a-w- c:\program files\testgame.htm
2003-01-06 19:41 . 2004-08-28 15:20 1457 ----a-w- c:\program files\rvappstm.lst
2001-01-30 21:04 . 2004-08-28 15:20 1375 ----a-w- c:\program files\aimalert.gif
2001-01-30 21:03 . 2004-08-28 15:20 1370 ----a-w- c:\program files\stockalert.gif
.

((((((((((((((((((((((((((((( SnapShot@2009-06-03_02.24.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 03:08 . 2009-06-04 03:08 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
+ 2009-06-04 03:08 . 2009-06-04 03:08 16384 c:\windows\Temp\Perflib_Perfdata_4b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ShowIcon_The Company_CRW Series Driver v1.16e058"="c:\program files\CRW\shwicon.exe" [2002-11-06 69632]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2002-09-12 1101824]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"FaxMonitor"="c:\program files\IPFax\FaxMonitor.exe" [2002-01-21 61440]
"CloneCDElbyCDFL"="c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 45056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"HostManager"="c:\program files\Common Files\AOL\1147485870\ee\AOLSoftware.exe" [2006-05-10 50760]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-15 118784]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2004-7-18 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147485870\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147485870\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/13/2004 7:12 PM 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 6:43 AM 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/23/2008 7:31 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/23/2008 7:31 AM 20560]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/13/2004 7:12 PM 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 4:57 PM 6144]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/11/2004 8:49 PM 14095]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-15 c:\windows\Tasks\HP DArC Task 2003-12-22 03:05ewlett-Packard2003-12-22 03:05p psc 1300 series9A58A86F12EB0B2AE9BFB4180B4FD9D5B2D22980076875768.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-12-22 12:38]

2009-06-04 c:\windows\Tasks\User_Feed_Synchronization-{E82C6E2F-CF91-4FB2-A539-E25936FB53A4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wwdb.com/login.aspx?ReturnUrl=%2fHome.aspx
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Spell Check Options... - c:\program files\ucietb\Speller.dll/RUNOPTIONS.HTM
IE: Spell Check this page... - c:\program files\ucietb\Speller.dll/RUNSPELLER.HTM
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} - hxxp://www.evga.com/Support/SyScan/SyScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 23:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-436374069-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(404)
c:\program files\Logitech\iTouch\iTchHk.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\mshtml.dll
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-04 23:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 03:16
ComboFix2.txt 2009-06-03 03:09
ComboFix3.txt 2009-06-03 02:27

Pre-Run: 49,072,930,816 bytes free
Post-Run: 48,950,624,256 bytes free

241 --- E O F --- 2009-05-14 02:29



Below is the MBAM Log:

Malwarebytes' Anti-Malware 1.37
Database version: 2227
Windows 5.1.2600 Service Pack 3

6/3/2009 11:33:52 PM
mbam-log-2009-06-03 (23-33-52).txt

Scan type: Quick Scan
Objects scanned: 103321
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bfast.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\commission-junction.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\fastclick.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\fastclick.net (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\kqzyfj.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\linksynergy.com (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:57 PM

Posted 04 June 2009 - 03:10 AM

Hi Dave,

Well done and thanks for the feedback. :thumbup2:

I didn't mean there are more than one p2p program on the computer. The text about p2p meant to give information about p2p programs as general.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Tell me if other programs are working fine.


#9 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 04 June 2009 - 08:45 PM

Farbar,

The computer is working better overall.
Is there any malware, etc remaining in the system?
Ccleaner registry function still has a lot of files in it.
Is a page file of 352M too high? Or is that a question for another forum?

Thanks,
David

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:57 PM

Posted 05 June 2009 - 04:42 AM

Ccleaner registry function still has a lot of files in it.

If you make a backup you may clean those files. But don't use the registry cleaner so often.

Is a page file of 352M too high?


No, it is not too high. Depending on the size of RAM and the kind of program you are using you might need more or nothing. With today's computers nobody bothers about the the size of page file. If you have enough RAM the system doesn't need to use the page file. But you can increase the size of the page file if you have enough space on your HD and leave it so.

Everything looks good.

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Optional Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • Install Javacools© SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.
    After each update click on Protection Status in the left pane. Then click on Enable All Protection (bottom left of the right pane).
  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.
Happy Surfing!

#11 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 05 June 2009 - 05:36 AM

Should I enable the teatimer?
Should I replace spybot S&D with Javacools
Some of the original still exist:

1. Computer flashes from normal, to safe mode & then back to normal while booting up.
2. Computer has 3 users: one admin & 2 limited. One of the limited accounts, locks up the machine for a few minutes.
3. Cannot back up computer. XP backup does not see the external hard drive, explorer does.

Should I research these and possibly post the questions on another forum?

Thank you Farbar for a clean machine!!!!!!!!!!

David

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:57 PM

Posted 05 June 2009 - 06:58 AM

David,

You are very welcome. Javacools is no antimalware for detection and removal. It does more a prevention job. The Teatimer you may turn on if you don't want to pursue the issue here. Otherwise don't add any programs now and let the Teatimer be turned off.

Good you mention the issue, that I wanted to know when I asked you about how the programs were running. :thumbup2:

The issue might not be malware related. A corrupted file of registry might cause it. If you wanted we might have a shot at it.

#13 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 05 June 2009 - 08:29 PM

If you have the time. I'll follow your lead. But if you want to stick with Malware issues which you are obviously good at, I won't be offended to look at a different forum on BC.

David

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:57 PM

Posted 05 June 2009 - 08:49 PM

It is late here and I'm going to sleep. I'll see the results tomorrow.

I would like to do two diagnostic tests.
  • Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
    • Log to your usual account. Tell how the computer boot in safe mode. Does the reboot occurs there too?
  • To do a diagnostic test:
    • Please go to Start => Run => type msconfig and click OK.
    • Under General tab select "Diagnostic Startup".
    • Apply and OK then reboot the computer and tell me if the boot problem still remains.


#15 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 06 June 2009 - 03:12 PM

I have to switch keyboards to get into safe mode. It seems that the computer does not see the USB port until after the BIOS loads. I have to use a PS2 keyboard.

Diagnostic test #1: The machine does not really reboot, the background just changes to the safe mode light blue color (not the BSOD color). Safe mode background color after pressing F8 is black. Internet dos not work in safe mode. A bunch of stuff comes up on the screen. multi(0)disk(0)rdisk(0)partition(1)...

Diagnostic test #2: did not notice the screen color change.

Sorry it sounds kind of vague.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users