Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very slow, tried many things


  • This topic is locked This topic is locked
11 replies to this topic

#1 Quevvy

Quevvy

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 04 June 2009 - 02:26 PM

My computer is all of a sudden slow and I have tried multiple ways of improving it...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:06 PM, on 6/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\MotorolaDAP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WinMX\WinMX.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Tommy')
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Tommy')
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [WinMX] C:\Documents and Settings\Tommy\Desktop\WinMX.exe -m (User 'Tommy')
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [Aim6] (User 'Tommy')
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [csrss] C:\WINDOWS\csrss.exe (User 'Tommy')
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [tinyproxy] C:\Program Files\tinyproxy\tinyproxy1.exe (User 'Tommy')
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Tommy')
O4 - HKUS\S-1-5-21-746137067-1979792683-682003330-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Tommy')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Voiceglo directory - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\Documents and Settings\All Users.WINDOWS\Desktop\Glophone.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\System32\MotorolaDAP.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11088 bytes

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 11 June 2009 - 04:56 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 Quevvy

Quevvy
  • Topic Starter

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 12 June 2009 - 01:43 PM

ComboFix 09-06-12.01 - Michael 06/12/2009 13:08.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.223 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: Authentium Antivirus *On-access scanning enabled* (Updated) {A4E803B3-4E6E-4271-B1CD-56FBC0992D36}
FW: Authentium Firewall *disabled* {38254411-9AEC-4967-913E-F892C2A4DF89}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\TinyProxy
c:\windows\f49f4daa.dat
c:\windows\fmark2.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 07:57 . 2009-06-12 07:57 1886320 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2009-06-12 07:57 . 2009-06-12 07:57 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-12 07:57 . 2009-06-12 07:57 -------- d-----w- c:\windows\LastGood
2009-06-12 07:57 . 2009-06-12 07:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-06-12 07:57 . 2009-06-12 07:57 -------- d-----w- c:\program files\NOS
2009-06-11 18:57 . 2009-06-11 18:57 -------- d-sh--w- c:\documents and settings\Jacqui\IETldCache
2009-06-11 18:27 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 18:27 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-11 18:27 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 18:27 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-10 20:38 . 2009-06-10 20:38 -------- d-sh--w- c:\documents and settings\Dad.COCOA\IECompatCache
2009-06-10 20:26 . 2009-06-10 20:26 -------- d-----w- c:\documents and settings\Dad.COCOA\Local Settings\Application Data\Apple
2009-06-09 00:23 . 2009-06-09 00:23 -------- d-sh--w- c:\documents and settings\Dad.COCOA\PrivacIE
2009-06-09 00:23 . 2009-06-09 00:23 -------- d-----w- c:\documents and settings\Dad.COCOA\Local Settings\Application Data\AIM Toolbar
2009-06-09 00:22 . 2009-06-09 00:22 -------- d-sh--w- c:\documents and settings\Dad.COCOA\IETldCache
2009-06-08 11:47 . 2009-06-08 11:47 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\AIM Toolbar
2009-06-03 20:37 . 2009-06-03 20:38 -------- d-----w- c:\program files\iTunes
2009-06-03 20:27 . 2009-06-03 20:27 75048 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-02 20:42 . 2009-06-02 20:42 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-05-28 06:55 . 2009-05-28 06:55 -------- d-----w- c:\documents and settings\Tommy\Local Settings\Application Data\AIM Toolbar
2009-05-28 02:48 . 2009-05-28 02:48 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-05-28 02:47 . 2009-05-28 02:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar
2009-05-28 02:47 . 2009-05-28 02:47 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\AIM Toolbar
2009-05-25 20:46 . 2009-05-25 20:46 -------- d-sh--w- c:\documents and settings\Mom\PrivacIE
2009-05-25 20:45 . 2009-05-25 20:45 -------- d-sh--w- c:\documents and settings\Mom\IETldCache
2009-05-17 23:31 . 2009-05-17 23:31 -------- d-sh--w- c:\documents and settings\Tommy\PrivacIE
2009-05-17 23:30 . 2009-05-17 23:30 -------- d-sh--w- c:\documents and settings\Tommy\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 18:01 . 2004-04-01 04:25 -------- d-----w- c:\program files\PestPatrol
2009-06-12 08:09 . 2007-01-25 23:14 -------- d-----w- c:\program files\AIM6
2009-06-12 08:09 . 2005-08-21 15:31 -------- d-----w- c:\program files\Common Files\AOL
2009-06-12 08:09 . 2004-05-15 04:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2009-06-12 08:09 . 2002-04-21 17:45 -------- d-----w- c:\program files\Viewpoint
2009-06-12 07:58 . 2007-01-25 23:12 164912 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\inst.exe
2009-06-12 07:58 . 2007-01-25 23:12 83504 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ProgUpd.dll
2009-06-12 07:58 . 2007-01-25 23:12 46640 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\chckampx.dll
2009-06-12 07:58 . 2007-01-25 23:12 1082064 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\toolbar.exe
2009-06-12 07:58 . 2007-01-25 23:12 1178096 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMinst.exe
2009-06-12 07:57 . 2005-10-05 22:07 -------- d-----w- c:\program files\Google
2009-06-11 20:53 . 2008-12-08 02:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2009-06-04 19:33 . 2004-05-29 01:27 291 ----a-w- c:\windows\PowerReg.dat
2009-06-04 19:28 . 2008-08-16 16:46 -------- d-----w- c:\program files\Safari
2009-06-04 19:27 . 2008-11-06 04:22 -------- d-----w- c:\program files\Roni Music
2009-06-03 20:37 . 2005-02-22 22:17 -------- d-----w- c:\program files\iPod
2009-06-03 20:37 . 2008-04-06 18:39 -------- d-----w- c:\program files\Common Files\Apple
2009-06-03 20:34 . 2005-09-17 16:14 -------- d-----w- c:\program files\QuickTime
2009-06-02 21:11 . 2005-08-13 01:30 1237 ----a-w- c:\windows\eReg.dat
2009-06-02 20:57 . 2005-08-14 22:45 -------- d-----w- c:\program files\Maxis
2009-05-30 05:19 . 2005-05-22 18:46 107600 ----a-w- c:\documents and settings\Tommy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 02:47 . 2004-09-25 09:58 -------- d-----w- c:\program files\AIM Toolbar
2009-05-28 02:45 . 2002-04-21 19:29 -------- d-----w- c:\program files\AIM95
2009-05-13 05:15 . 2005-10-21 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2001-08-18 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2001-08-18 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-02 19:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-21 16:14 . 2005-04-17 20:40 107216 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2007-01-28 01:04 . 2002-04-26 22:54 19968 ----a-w- c:\program files\the alt keys.doc
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"WinMX"="c:\program files\WinMX\WinMX.exe" [2004-12-13 1069056]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-15 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 73728]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
LocalCooling.lnk - c:\program files\Uniblue\LocalCooling\localcooling2.exe [2008-2-29 5054464]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\starcraft.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:TINYPROXY

R2 MotorolaDAP;Motorola Digital Audio Player Manager;c:\windows\system32\MotorolaDAP.exe [8/18/2004 3:02 PM 270336]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 7:55 PM 18864]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [5/23/2004 6:56 PM 84480]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\Sharshtl.sys [5/23/2004 6:56 PM 18432]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [6/12/2009 2:57 AM 66048]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GETPLUS®_HELPER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 05:17]

2009-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1979792683-682003330-1008.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-15 21:07]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 13:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\PSGuard.com\PSGuard\P.S.Guard\License*]
"Data"="InstallTime=1c601c0:bef120a0\0d\0aLastRunTime=1c601c0:bef120a0\0d\0a"
.
Completion time: 2009-06-12 13:31
ComboFix-quarantined-files.txt 2009-06-12 18:31

Pre-Run: 18,163,392,512 bytes free
Post-Run: 19,580,301,312 bytes free

166 --- E O F --- 2009-06-11 19:09

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 12 June 2009 - 02:14 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\csrss.exe
c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe

Dirlook::
c:\documents and settings\All Users.WINDOWS\Application Data\NOS
c:\program files\NOS

Registry::
[HKEY_USERS\S-1-5-21-746137067-1979792683-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Run]
"csrss"=-


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#5 Quevvy

Quevvy
  • Topic Starter

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 12 June 2009 - 04:26 PM

ComboFix 09-06-12.02 - Michael 06/12/2009 15:57.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.179 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
AV: Authentium Antivirus *On-access scanning enabled* (Updated) {A4E803B3-4E6E-4271-B1CD-56FBC0992D36}
FW: Authentium Firewall *disabled* {38254411-9AEC-4967-913E-F892C2A4DF89}

FILE ::
"c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe"
"c:\windows\csrss.exe"
.

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 07:57 . 2009-06-12 07:57 1886320 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2009-06-12 07:57 . 2009-06-12 07:57 -------- d-----w- c:\windows\LastGood
2009-06-12 07:57 . 2009-06-12 07:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-06-12 07:57 . 2009-06-12 07:57 -------- d-----w- c:\program files\NOS
2009-06-11 18:57 . 2009-06-11 18:57 -------- d-sh--w- c:\documents and settings\Jacqui\IETldCache
2009-06-11 18:27 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 18:27 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-11 18:27 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 18:27 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-10 20:38 . 2009-06-10 20:38 -------- d-sh--w- c:\documents and settings\Dad.COCOA\IECompatCache
2009-06-10 20:26 . 2009-06-10 20:26 -------- d-----w- c:\documents and settings\Dad.COCOA\Local Settings\Application Data\Apple
2009-06-09 00:23 . 2009-06-09 00:23 -------- d-sh--w- c:\documents and settings\Dad.COCOA\PrivacIE
2009-06-09 00:23 . 2009-06-09 00:23 -------- d-----w- c:\documents and settings\Dad.COCOA\Local Settings\Application Data\AIM Toolbar
2009-06-09 00:22 . 2009-06-09 00:22 -------- d-sh--w- c:\documents and settings\Dad.COCOA\IETldCache
2009-06-08 11:47 . 2009-06-08 11:47 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\AIM Toolbar
2009-06-03 20:37 . 2009-06-03 20:38 -------- d-----w- c:\program files\iTunes
2009-06-03 20:27 . 2009-06-03 20:27 75048 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-02 20:42 . 2009-06-02 20:42 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-05-28 06:55 . 2009-05-28 06:55 -------- d-----w- c:\documents and settings\Tommy\Local Settings\Application Data\AIM Toolbar
2009-05-28 02:48 . 2009-05-28 02:48 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-05-28 02:47 . 2009-05-28 02:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar
2009-05-28 02:47 . 2009-05-28 02:47 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\AIM Toolbar
2009-05-25 20:46 . 2009-05-25 20:46 -------- d-sh--w- c:\documents and settings\Mom\PrivacIE
2009-05-25 20:45 . 2009-05-25 20:45 -------- d-sh--w- c:\documents and settings\Mom\IETldCache
2009-05-17 23:31 . 2009-05-17 23:31 -------- d-sh--w- c:\documents and settings\Tommy\PrivacIE
2009-05-17 23:30 . 2009-05-17 23:30 -------- d-sh--w- c:\documents and settings\Tommy\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 18:01 . 2004-04-01 04:25 -------- d-----w- c:\program files\PestPatrol
2009-06-12 08:09 . 2007-01-25 23:14 -------- d-----w- c:\program files\AIM6
2009-06-12 08:09 . 2005-08-21 15:31 -------- d-----w- c:\program files\Common Files\AOL
2009-06-12 08:09 . 2004-05-15 04:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2009-06-12 08:09 . 2002-04-21 17:45 -------- d-----w- c:\program files\Viewpoint
2009-06-12 07:58 . 2007-01-25 23:12 164912 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\inst.exe
2009-06-12 07:58 . 2007-01-25 23:12 83504 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ProgUpd.dll
2009-06-12 07:58 . 2007-01-25 23:12 46640 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\chckampx.dll
2009-06-12 07:58 . 2007-01-25 23:12 1082064 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\toolbar.exe
2009-06-12 07:58 . 2007-01-25 23:12 1178096 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMinst.exe
2009-06-12 07:57 . 2005-10-05 22:07 -------- d-----w- c:\program files\Google
2009-06-11 20:53 . 2008-12-08 02:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2009-06-04 19:33 . 2004-05-29 01:27 291 ----a-w- c:\windows\PowerReg.dat
2009-06-04 19:28 . 2008-08-16 16:46 -------- d-----w- c:\program files\Safari
2009-06-04 19:27 . 2008-11-06 04:22 -------- d-----w- c:\program files\Roni Music
2009-06-03 20:37 . 2005-02-22 22:17 -------- d-----w- c:\program files\iPod
2009-06-03 20:37 . 2008-04-06 18:39 -------- d-----w- c:\program files\Common Files\Apple
2009-06-03 20:34 . 2005-09-17 16:14 -------- d-----w- c:\program files\QuickTime
2009-06-02 21:11 . 2005-08-13 01:30 1237 ----a-w- c:\windows\eReg.dat
2009-06-02 20:57 . 2005-08-14 22:45 -------- d-----w- c:\program files\Maxis
2009-05-30 05:19 . 2005-05-22 18:46 107600 ----a-w- c:\documents and settings\Tommy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 02:47 . 2004-09-25 09:58 -------- d-----w- c:\program files\AIM Toolbar
2009-05-28 02:45 . 2002-04-21 19:29 -------- d-----w- c:\program files\AIM95
2009-05-13 05:15 . 2005-10-21 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2001-08-18 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2001-08-18 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-02 19:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-21 16:14 . 2005-04-17 20:40 107216 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2007-01-28 01:04 . 2002-04-26 22:54 19968 ----a-w- c:\program files\the alt keys.doc
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users.WINDOWS\Application Data\NOS ----

2009-06-12 07:57 . 2009-06-12 07:57 1572226 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\acrobat.com.air
2009-06-12 07:57 . 2009-06-12 07:57 1886320 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2009-06-12 07:57 . 2009-06-12 07:57 8303545 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\nos8.dat
2009-06-12 07:57 . 2009-06-12 07:59 26207815 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\nos_2965.dat
2009-06-12 07:57 . 2009-06-12 07:57 1142 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\getPlus+.gif
2009-06-12 07:57 . 2009-06-12 07:57 1824 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\getPlus_NOSSO.gif
2009-06-12 07:57 . 2009-06-12 07:57 15404 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\marketplace_adobe.htm
2009-06-12 07:57 . 2009-06-12 07:57 7377 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\market_amp.png
2009-06-12 07:57 . 2009-06-12 07:57 48356 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\nyt_banner.jpg
2009-06-12 07:57 . 2009-06-12 07:57 62380 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\redwire_banner.jpg
2009-06-12 07:57 . 2009-06-12 07:57 510 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\right_button_grey.png
2009-06-12 07:57 . 2009-06-12 07:57 931 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\block.gif
2009-06-12 07:57 . 2009-06-12 07:57 916 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\block_a.gif
2009-06-12 07:57 . 2009-06-12 07:57 1158 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\button_bgr.jpg
2009-06-12 07:57 . 2009-06-12 07:57 6986 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\dl_add.jpg
2009-06-12 07:57 . 2009-06-12 07:57 4666 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\dl_queued.jpg
2009-06-12 07:57 . 2009-06-12 07:57 1966 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\download_error.jpg
2009-06-12 07:57 . 2009-06-12 07:57 1868 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\download_ok.jpg
2009-06-12 07:57 . 2009-06-12 07:57 77173 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\facebook_banner.jpg
2009-06-12 07:57 . 2009-06-12 07:57 501 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\left_button_grey.png
2009-06-12 07:57 . 2009-06-12 07:57 17270 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_ko.htm
2009-06-12 07:57 . 2009-06-12 07:57 20486 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_nl.htm
2009-06-12 07:57 . 2009-06-12 07:57 20120 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_no.htm
2009-06-12 07:57 . 2009-06-12 07:57 19900 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_sv.htm
2009-06-12 07:57 . 2009-06-12 07:57 16010 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_zh-hans.htm
2009-06-12 07:57 . 2009-06-12 07:57 16034 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_zh-hant.htm
2009-06-12 07:57 . 2009-06-12 07:57 66410 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\adobeflashplayer_banner.jpg
2009-06-12 07:57 . 2009-06-12 07:57 64352 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\adobereader_banner.jpg
2009-06-12 07:57 . 2009-06-12 07:57 819 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\images\bar_green.gif
2009-06-12 07:57 . 2009-06-12 07:57 21106 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_fr.htm
2009-06-12 07:57 . 2009-06-12 07:57 20934 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_it.htm
2009-06-12 07:57 . 2009-06-12 07:57 17446 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_ja.htm
2009-06-12 07:57 . 2009-06-12 07:57 19898 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_en.htm
2009-06-12 07:57 . 2009-06-12 07:57 20754 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_es.htm
2009-06-12 07:57 . 2009-06-12 07:57 19548 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_fi.htm
2009-06-12 07:57 . 2009-06-12 07:57 2858 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\getPlusPlus.css
2009-06-12 07:57 . 2009-06-12 07:57 9368 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\getPlusPlus.js
2009-06-12 07:57 . 2009-06-12 07:57 20666 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_br.htm
2009-06-12 07:57 . 2009-06-12 07:57 20034 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_da.htm
2009-06-12 07:57 . 2009-06-12 07:57 21144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\GP_GUI_Adobe\gui_de.htm
2009-06-12 07:57 . 2009-06-12 07:57 1315 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\getUninst_Adobe.dat

---- Directory of c:\program files\NOS ----

2009-06-12 07:57 . 2009-06-04 15:52 451168 ----a-w- c:\program files\NOS\bin\getPlusPlus_Adobe.exe
2009-06-12 07:57 . 2009-06-04 15:51 66048 ----a-w- c:\program files\NOS\bin\getPlus_HelperSvc.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"WinMX"="c:\program files\WinMX\WinMX.exe" [2004-12-13 1069056]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-15 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 73728]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
LocalCooling.lnk - c:\program files\Uniblue\LocalCooling\localcooling2.exe [2008-2-29 5054464]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\starcraft.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:TINYPROXY

R2 MotorolaDAP;Motorola Digital Audio Player Manager;c:\windows\system32\MotorolaDAP.exe [8/18/2004 3:02 PM 270336]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 7:55 PM 18864]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [5/23/2004 6:56 PM 84480]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\Sharshtl.sys [5/23/2004 6:56 PM 18432]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [6/12/2009 2:57 AM 66048]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GETPLUS®_HELPER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 05:17]

2009-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1979792683-682003330-1008.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-15 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 16:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\PSGuard.com\PSGuard\P.S.Guard\License*]
"Data"="InstallTime=1c601c0:bef120a0\0d\0aLastRunTime=1c601c0:bef120a0\0d\0a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-12 16:13
ComboFix-quarantined-files.txt 2009-06-12 21:12
ComboFix2.txt 2009-06-12 20:53
ComboFix3.txt 2009-06-12 18:31

Pre-Run: 19,634,110,464 bytes free
Post-Run: 19,608,121,344 bytes free

217 --- E O F --- 2009-06-11 19:09

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 15 June 2009 - 02:33 PM

Sorry for the delay. Log looks clean.

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Please post ark.txt as a reply to this topic.

#7 Quevvy

Quevvy
  • Topic Starter

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 15 June 2009 - 11:00 PM

I ran the scan and I was almost done and then a blue screen popped up (something about an error...) and the computer shut down.

There was a box that popped up once it restarted, and it said something about a Windows error and opened up this page: http://wer.microsoft.com/responses/Respons...26-fdd19743e093

Also, the lower right hand corner of the toolbar (the ...something... tray, I don't know) is not acting like it has before - it's not running as many programs in the background as before.

So, as you can see, I could not complete the scan...

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 16 June 2009 - 07:41 AM

Try running gmer in safe mode. Then you can save the log and post it as a reply when you reboot back into normal mode. Instructions on how to get into safe mode can be found here:

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

#9 Quevvy

Quevvy
  • Topic Starter

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 16 June 2009 - 09:01 PM

Safe mode worked!!!

However, it said the post was too long, so I'm attaching the ark.txt file

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 18 June 2009 - 12:35 PM

I do not see anything else here that is cause for concern. Is it still slow after the work we have done?

#11 Quevvy

Quevvy
  • Topic Starter

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 18 June 2009 - 12:58 PM

Yeah, it seems better

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 18 June 2009 - 06:10 PM

Then I will pronounce you clean as I do not see anything else in the logs.

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version in the following tutorial:

Windows XP System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users