Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Links not working (re-directing) and random pop-ups/crashes


  • This topic is locked This topic is locked
35 replies to this topic

#1 steveh8204

steveh8204

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 08 June 2009 - 05:23 AM

About a week ago my computer started freezing on startup. It was roughly the same time I updated Zonealarm. After receiving the blue screen every time I started up with DRIVER_NOT_LESS_THAN_OR_EQUAL message I had to startup in Safe Mode.

After turning off Zonealarm it would startup normally. So with just keeping my Windows Firewall and the one installed into my router I tried to download various programs to try and clean my computer.

Several simply didn't work, the only ones that did were CCleaner and ATF Cleaner. Nothing worked.

After running a couple of Virus Scanners from my U3 Memory Stick I did manage to get rid of some junk. Trustport Antivirus and 1-2-3 Spyware Free.

These seem to have cleaned up a lot but I still have random pop-ups popping up and Google links always divert to various other sites (windowsclick.com always comes up before diverting).

There was also an executable file 6.tmp.exe in my startup which I have now disabled.

My DDS log is as follows:


DDS (Ver_09-05-14.01) - NTFSx86
Run by LAPTOPALL at 23:06:50.50 on 07/06/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.80 [GMT 1:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:Program FilesCOMODOCOMODO Internet Securitycmdagent.exe
C:WINDOWSsystem32svchost.exe -k netsvcs
C:WINDOWSsystem32ACS.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesAdobePhotoshop Elements 4.0PhotoshopElementsFileAgent.exe
svchost.exe
C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
C:WINDOWSsystem32DVDRAMSV.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesTOSHIBATOSHIBA AppletTAPPSRV.exe
C:Program FilesCanonCALCALMAIN.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Program FilesSynapticsSynTPSynTPLpr.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSAGRSMMSG.exe
C:Program FilesToshibaToshiba Appletthotkey.exe
C:Program FilesTOSHIBATvsTvsTray.exe
C:WINDOWSsystem32TPSMain.exe
C:Program FilesTOSHIBATOSHIBA Zooming UtilitySmoothView.exe
C:Program FilesTOSHIBATouch and LaunchPadExe.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSSystem32spoolDRIVERSW32X863E_S4I0F2.EXE
C:WINDOWSsystem32taskswitch.exe
C:Program FilesTOSHIBAConfigFreeCFSServ.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:WINDOWSsystem32TPSBattM.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesAdobePhotoshop Elements 4.0apdproxy.exe
C:Program FilesCOMODOCOMODO Internet Securitycfp.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesWindows Media PlayerWMPNSCFG.exe
C:Program FilesSony EricssonSony Ericsson PC SuiteSEPCSuite.exe
C:WINDOWSsystem32RAMASST.exe
C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkCalRem.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesInternet ExplorerIexplore.exe
C:Program FilesInternet ExplorerIexplore.exe
C:Program FilesInternet ExplorerIexplore.exe
C:Program FilesInternet ExplorerIexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsLAPTOPALLDesktopdds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:program filesrealrealplayerrpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Idea2 SidebarBrowserMonitor Class: {45ad732c-2ce2-4666-b366-b2214ad57a49} - c:program filesdesktop sidebarsbhelp.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:windowssystem32msxml71.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program filesmsn toolbar suitetb02.05.0000.1082en-gbmsntb.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:progra~1flashfxpIEFlash.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:program fileszonealarmsbbar1.binSPYBLOCK.DLL
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program filesmsn toolbar suitetb02.05.0000.1082en-gbmsntb.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:program fileszonealarmsbbar1.binSPYBLOCK.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [WMPNSCFG] c:program fileswindows media playerWMPNSCFG.exe
uRun: [Sony Ericsson PC Suite] "c:program filessony ericssonsony ericsson pc suiteSEPCSuite.exe" /systray /nologon
uRun: [kdx] c:windowskdxKHost.exe -all
mRun: [ATIPTA] c:program filesati technologiesati control panelatiptaxx.exe
mRun: [SynTPLpr] c:program filessynapticssyntpSynTPLpr.exe
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [THotkey] c:program filestoshibatoshiba appletthotkey.exe
mRun: [Tvs] c:program filestoshibatvsTvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:program filestoshibatoshiba zooming utilitySmoothView.exe
mRun: [PadTouch] c:program filestoshibatouch and launchPadExe.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [EPSON Stylus Photo R300 Series] c:windowssystem32spooldriversw32x863E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
mRun: [Auto EPSON Stylus Photo R300 Series on MAIN] c:windowssystem32spooldriversw32x863e_s4i0f2.exe /p43 "auto epson stylus photo r300 series on main" /o14 "mainPrinter" /M "Stylus Photo R300"
mRun: [HOMEEPSON Stylus Photo R300 Series] c:windowssystem32spooldriversw32x863e_s4i0f2.exe /p37 "homeEPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [CoolSwitch] c:windowssystem32taskswitch.exe
mRun: [NeroFilterCheck] c:windowssystem32NeroCheck.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [RemoteControl] "c:program filescyberlinkpowerdvdPDVDServ.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [DAEMON Tools-1033] "c:program filesd-toolsdaemon.exe" -lang 1033
mRun: [Adobe Photo Downloader] "c:program filesadobephotoshop elements 4.0apdproxy.exe"
mRun: [COMODO Internet Security] "c:program filescomodocomodo internet securitycfp.exe" -h
mRun: [MSConfig] c:windowspchealthhelpctrbinariesMSConfig.exe /auto
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
StartupFolder: c:docume~1laptop~1startm~1programsstartupadobeg~1.lnk - c:program filescommon filesadobecalibrationAdobe Gamma Loader.exe
StartupFolder: c:docume~1laptop~1startm~1programsstartupwkcalrem.lnk - c:program filescommon filesmicrosoft sharedworks sharedWkCalRem.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupramasst.lnk - c:windowssystem32RAMASST.exe
IE: &MSN Search - c:program filesmsn toolbar suitetb02.05.0000.1082en-gbmsntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: Open in new background tab - c:program filesmsn toolbar suitetab02.05.0001.1119en-gbmsntabres.dll/229?f1bd46cfb7074b788c6380eeae16ba7e
IE: Open in new foreground tab - c:program filesmsn toolbar suitetab02.05.0001.1119en-gbmsntabres.dll/230?f1bd46cfb7074b788c6380eeae16ba7e
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:program filespokerstarsPokerStarsUpdate.exe
IE: {40B2063F-DB01-4962-BE63-59435C01283C} - c:progra~1dailys~1client.exe
IE: {49783ED4-258D-4f9f-BE11-137C18D3E543} - c:program filestitan pokercasino.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_02binnpjpi150_02.dll
IE: {09FE188B-6E85-479e-9411-51FB2220DF80} - {45AD732C-2CE2-4666-B366-B2214AD57A49} - c:program filesdesktop sidebarsbhelp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonYinsthelper200711281.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.truprint.co.uk/TruprintActivia.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://express.foto.com/ImageUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://www.wrexham.gov.uk/webcam/AxisCamControl.bin
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:windowssystem32driverscmdguard.sys [2009-6-7 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:windowssystem32driverscmdhlp.sys [2009-6-7 24096]
R2 aawservice;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareaawservice.exe [2008-9-10 611664]
R2 cmdAgent;COMODO Internet Security Helper Service;c:program filescomodocomodo internet securitycmdagent.exe [2009-6-7 692496]
S2 gupdate1c9b922bbc26278;Google Update Service (gupdate1c9b922bbc26278);c:program filesgoogleupdateGoogleUpdate.exe [2009-4-9 133104]
S3 ggflt;SEMC USB Flash Driver Filter;c:windowssystem32driversggflt.sys --> c:windowssystem32driversggflt.sys [?]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:windowssystem32driversNavcar.sys [2008-10-23 30329]
S3 pmxscan;Memorex USB Kernel;c:windowssystem32driversusbscan.sys [2006-7-7 15104]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:windowssystem32driverss0016bus.sys [2008-10-23 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:windowssystem32driverss0016mdfl.sys [2008-10-23 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:windowssystem32driverss0016mdm.sys [2008-10-23 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:windowssystem32driverss0016mgmt.sys [2008-10-23 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:windowssystem32driverss0016nd5.sys [2008-10-23 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:windowssystem32driverss0016obex.sys [2008-10-23 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:windowssystem32driverss0016unic.sys [2008-10-23 115752]

=============== Created Last 30 ================

2009-06-07 21:38 1,232 a------- c:windowssystem32driverssfi.dat
2009-06-07 20:47 <DIR> --d----- c:docume~1alluse~1applic~1Comodo
2009-06-07 20:47 168,208 a------- c:windowssystem32guard32.dll
2009-06-07 20:47 132,640 a------- c:windowssystem32driverscmdguard.sys
2009-06-07 20:47 24,096 a------- c:windowssystem32driverscmdhlp.sys
2009-06-07 15:13 517,766 a------- C:HaxFix.0xe
2009-06-05 20:30 224,016 -------- c:windowssystem32tabctl32.ocx
2009-06-05 20:30 <DIR> --d----- c:program filesMalware Immunizer
2009-06-05 16:27 115,716 a------- c:windowsmsb.exe
2009-06-03 16:57 117,252 a------- c:windowsmsa.exe
2009-06-03 16:57 207,364 a------- c:windowssystem32msxml71.dll
2009-05-29 09:21 <DIR> --d-h--- c:windowssystem32GroupPolicy
2009-05-29 08:31 <DIR> --d----- c:docume~1alluse~1applic~1PCPitstop
2009-05-29 08:30 <DIR> --d----- c:program filesPCPitstop
2009-05-28 13:24 <DIR> --d----- c:program filesSpybot - Search & Destroy
2009-05-28 13:24 <DIR> --d----- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-05-28 12:04 <DIR> --d----- c:program filesInnovative Solutions
2009-05-27 16:17 <DIR> --d----- c:documents and settingslaptopall.housecall6.6
2009-05-27 09:57 102,664 a------- c:windowssystem32driverstmcomm.sys
2009-05-26 18:47 <DIR> --d----- c:program filesCOMODO
2009-05-26 18:42 <DIR> --d----- c:program filesSpywareBlaster
2009-05-12 21:42 <DIR> --d----- c:program filesAskBarDis
2009-05-12 17:34 <DIR> --d----- C:8ebed62a43e2bae323ab4dad49e95a

==================== Find3M ====================

2009-06-05 15:34 94,208 a------- c:windowsDUMP47d6.tmp
2009-06-05 15:33 94,208 a------- c:windowsDUMP47f5.tmp
2009-06-05 15:32 94,208 a------- c:windowsDUMP48ef.tmp
2009-06-05 15:31 94,208 a------- c:windowsDUMP495e.tmp
2009-06-02 08:25 94,208 a------- c:windowsDUMP48e0.tmp
2009-06-02 08:24 94,208 a------- c:windowsDUMP491e.tmp
2009-06-02 08:24 94,208 a------- c:windowsDUMP495d.tmp
2009-06-02 08:23 94,208 a------- c:windowsDUMP4c0c.tmp
2009-05-29 10:14 94,208 a------- c:windowsDUMP46ec.tmp
2009-05-29 10:13 94,208 a------- c:windowsDUMP47c8.tmp
2009-05-29 10:13 94,208 a------- c:windowsDUMP4759.tmp
2009-05-29 10:12 94,208 a------- c:windowsDUMP47c7.tmp
2009-05-29 10:11 94,208 a------- c:windowsDUMP47a8.tmp
2009-05-29 10:10 94,208 a------- c:windowsDUMP476b.tmp
2009-05-29 10:09 94,208 a------- c:windowsDUMP4798.tmp
2009-05-29 10:09 94,208 a------- c:windowsDUMP476a.tmp
2009-05-29 10:08 94,208 a------- c:windowsDUMP473a.tmp
2009-05-29 10:07 94,208 a------- c:windowsDUMP474a.tmp
2009-05-29 10:06 94,208 a------- c:windowsDUMP47a7.tmp
2009-05-29 10:05 94,208 a------- c:windowsDUMP4853.tmp
2009-05-29 10:05 94,208 a------- c:windowsDUMP4a09.tmp
2009-05-29 10:04 94,208 a------- c:windowsDUMP47b7.tmp
2009-05-29 10:03 94,208 a------- c:windowsDUMP4769.tmp
2009-05-29 10:02 94,208 a------- c:windowsDUMP468e.tmp
2009-05-27 13:35 94,208 a------- c:windowsDUMP7b4a.tmp
2009-05-27 09:28 94,208 a------- c:windowsDUMP82bc.tmp
2009-05-27 09:27 94,208 a------- c:windowsDUMP8136.tmp
2009-05-27 09:26 94,208 a------- c:windowsDUMP8a9c.tmp
2009-05-26 22:07 94,208 a------- c:windowsDUMP7a6f.tmp
2009-05-26 22:00 94,208 a------- c:windowsDUMP7fee.tmp
2009-05-26 21:31 94,208 a------- c:windowsDUMP75eb.tmp
2009-05-26 21:29 94,208 a------- c:windowsDUMP787b.tmp
2009-05-26 21:29 94,208 a------- c:windowsDUMP87ec.tmp
2009-05-26 20:26 94,208 a------- c:windowsDUMP823f.tmp
2009-05-26 20:25 94,208 a------- c:windowsDUMP7ce0.tmp
2009-05-26 15:31 94,208 a------- c:windowsDUMP690a.tmp
2009-05-19 15:08 4,212 a---h--- c:windowssystem32zllictbl.dat
2009-04-29 08:01 0 a---h--- c:windowssystem32driversMsft_Kernel_ggsemc_01007.Wdf
2009-04-29 08:01 0 a---h--- c:windowssystem32driversMsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-11-02 18:44 22,328 a------- c:docume~1laptop~1applic~1PnkBstrK.sys
2008-10-18 20:07 1,720 a------- c:docume~1laptop~1applic~1wklnhst.dat
2006-04-20 20:47 68,984 a------- c:docume~1laptop~1applic~1GDIPFONTCACHEV1.DAT
1999-07-18 20:05 15,716 a------- c:windowsinfi386Pmxscan.sys

============= FINISH: 23:09:18.46 ===============

Sorry forgot to add I installed Comodo Internet Security Firewall and Antivirus yesterday which ran a scan on install which seemed to get rid of a few.

I've been blocking svchost through the firewall which doesn't seem to be effecting my system/internet so I'm not sure if this is malicious or not.

And my pop-ups/redirected links go straight to the 'Internet Explorer cannot display the webpage' so I think something must have worked and be blocking some Malware.

(I would have edited original post but for some reason the Edit button wasn't working).

And also thanks in advance for any help with this!

Sorry once again I've got to reply as the edit buttons are still not working.

I also keep getting a dialogue box popping up saying Google Installer has encountered a problem even though I uninstalled this some time ago.

And another one saying msb.exe has encountered a problem and needs to close. I don't know if this is because I keep denying svchost access through my firewall or not. They both occur at different random times.

Don't know if this is helpful, just thought it might be worth mentioning.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 08 June 2009 - 11:54 AM.


BC AdBot (Login to Remove)

 


m

#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:53 AM

Posted 08 June 2009 - 11:57 AM

Hi steveh8204,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • I see on the log Ask Toolbar is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar

    Also remove the folder in bold:
    C:\Program Files\AskBar
    c:\program files\askbardis

  • Go to start > Run copy/paste the following lines one by one in the run box and click OK after each run.

    sc stop gupdate1c9b922bbc26278
    sc delete gupdate1c9b922bbc26278


    A window flashes it is normal.

  • Please download Malwarebytes' Anti-Malware from one of these ocations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Click here to download HijackThis Installer.
    • Save HJTInstall.exe to your Desktop.
    • Double click on the HJTInstall.exe icon to start the installation.
    • When a window pops up asking you the directory to install the program please accept the proposed default directory.
    • The program will automatically place a shortcut on your desktop and if further use of the program is required, you can click on the shortcut to run the program.
    • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.


#3 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 08 June 2009 - 12:55 PM

Hi Farbar, first of all thanks for assisting me with this matter.

I have unfortunately run 3 Anti-Spyware programs since my original post (Spyware Terminator, Malware Sweeper and Advanced Spyware Remover) which my affect my log. Sorry about this again I will only change things as per your instruction from now on.

I was unable to uninstall Askbar as it didn't show up on the list but I did remove the askbardis folder as instructed. I ran the 2 commands also and this went through even though I had to allow the second one through my firewall twice (something to do with 'services') I hope this is ok.

I downloaded mbam-setup but when I double clicked it nothing happened. I have had this several times in the last week as someone else suggested running this program.

I then ran Hijackthis and the log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:47:43, on 6/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\LAPTOPALL\Desktop\mbam-setup.exe
C:\Downloads\Programs\Security\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en&source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series on MAIN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P43 "Auto EPSON Stylus Photo R300 Series on MAIN" /O14 "\\MAIN\Printer" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\HOME\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P37 "\\HOME\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?f1bd46cfb7074b788c6380eeae16ba7e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?f1bd46cfb7074b788c6380eeae16ba7e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Daily Star Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DAILYS~1\client.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspsju.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://express.foto.com/ImageUploader5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37500.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.wrexham.gov.uk/webcam/AxisCamControl.bin
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 14192 bytes

Like I said before I will know leave be until instructed and thanks again for your help.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:53 AM

Posted 08 June 2009 - 01:42 PM

Thanks for the feedback.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Please rename the mbam-setup to steve.exe, then double-click steve.exe to install it and proceed with the rest of instructions on running MBAM.

  • Please make a program list with Hijackthis:
  • Open HijackThis and click Open the Misc Tools section.
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

Edited by farbar, 08 June 2009 - 01:43 PM.


#5 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 08 June 2009 - 04:18 PM

Right I've got rid of the 4 entries in Hijack This and renamed MBsetup.exe and it seems to have installed (took ages at one point and looked like it had crashed) but after completing the '◦Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.' stage the box disappeared and nothing happened. I've waited ten minutes and nothing.

This was after uninstalling the first failed install, then running CCleaner to clean the registry, then restarting the computer then re-installing.

Here however is the log from the last step:

Ad-Aware
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 2.0
Adobe Photoshop CS2
Adobe Photoshop Elements 4.0
Adobe Reader 7.0.5
Adobe Stock Photos 1.0
Advanced Spyware Remover Free Edition
Alt-Tab Task Switcher Powertoy for Windows XP
Atheros Client Utility
Atheros Wireless LAN MiniPCI card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
Betfair Poker
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CCleaner (remove only)
CD/DVD Drive Acoustic Silencer
coverXP (remove only)
Crawler Toolbar with Web Security Guard
Critical Update for Windows Media Player 11 (KB959772)
DAEMON Tools
DECAdry Free Grids for Word XP
Desktop Sidebar
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.2
DVD-RAM Driver
Easy Media Cover (Standard Edition) : v1.5.0
EPSON CardMonitor
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
ESPR300 Software Guide
FlashFXP v3
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 2
Macromedia Flash Player
Malware Sweeper 2.3.0.1
Malwarebytes' Anti-Malware
Memorex 6136 U Scanner Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Media Video 9 VCM
Microsoft Works
MSN
MSN Search Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Ultra Edition
PKR
PokerStars
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
ScanToWeb
SCRABBLE Blast Deluxe
Scrabble Deluxe
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SmartCamera Ver 2.1
SmartSound Quicktracks Plugin
Sony Ericsson Bluetooth Remote Control 2.30
Sony Ericsson PC Suite 4.010.00
Sony Ericsson Themes Creator 3.29
Spyware Terminator
SpywareBlaster 4.2
SVCD2DVD 2.0
Synaptics Pointing Device Driver
Titan Poker
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Hotkey Utility
TOSHIBA Manuals
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Software Modem
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Service
USB PC Camera (SN9C102)
VC 9.0 Runtime
VC 9.0 Runtime
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 Release Candidate 1
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
ZoneAlarm Spy Blocker

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:53 AM

Posted 08 June 2009 - 05:08 PM

Thanks for the feedback. You have done a good job. :thumbup2:

then running CCleaner to clean the registry

Please avoid using registry cleaners or any other program unless requested. It might prolong handling the log or even leave us with an unbootable computer. If a system file is removed but the registry entry is there we can fix it easily even if the computer doesn't boot. But removing that particular empty entry makes our work much more difficult as we have to restore the file and repair the registry both.

The Malware is blocking MBAM from running. When you faced any problem no need to spend much time on it. Just post back as you don't need to reinvent the wheel. :)
  • I see ZoneAlarm Spyblocker toolbar and this is not highly recommended. See here to find out why.

    I recommend you to uninstall ZoneAlarm Spyblocker toolbar.

  • Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
  • Locate the file mbam.exe and rename it to clear.exe then double-click to run it.
  • Wait until it opens up.
  • Update it. When you get the message that it is updated successfully check under Update tab the Database version should read 2249 or above.
  • Run a quick scan. Let it remove what it finds by checking all the find items, let reboot if needed and copy/paste the log to your reply.
  • In case after completing update it did not run, go to the same folder again. There is mbam.exe, rename it to clear2.exe, open and run a quick scan.
Note: The logs are saved by default under the Logs tab. If the log did not automatically open after reboot you can obtain the latest log from there.

#7 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 09 June 2009 - 04:48 PM

Right I've followed the advice and managed to get Mbam-setup to run, update and scan.

After asking me to boot I noticed the following.

my firewall (Comodo) asked me if I wanted to allow the following:
SpywareTerminatorUpdate.exe (should I uninstall this?)
Explorer.exe

As I wasn't sure I blocked both. I also still get a box popping up saying 'Google Installer encountered a problem and needs to close' even though I uninstalled it ages ago.

Also when I open Internet Explorer the box pops up saying the program closed unexpectedly last time (even though it didn't) and do I want to go to homepage or re-open last web pages (or words to that effect), if I chose the latter loads of pop up windows fill up the screen with all different (junk) websites.

Thats all I have done (no tampering with the registry this time :thumbup2: ) and below is the log from MalwareBytes

On a plus note my google links seem to be working fine again. So we've had some success!!

Once again thanks for your continuing help.

Malwarebytes' Anti-Malware 1.37
Database version: 2255
Windows 5.1.2600 Service Pack 2

6/9/2009 22:09:19
mbam-log-2009-06-09 (22-09-19).txt

Scan type: Quick Scan
Objects scanned: 100498
Time elapsed: 10 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 47
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 8
Files Infected: 45

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1dec989a-8b5a-4032-903a-50b1e071b77b} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{01b3b657-e7bf-4936-bf6e-c1cff3aaf0dd} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{34196f64-c524-4ae3-8572-0ae00843ef54} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{376193bc-493c-4b19-ac30-32ff54225ee7} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{453c3579-3a18-4b7e-8e11-abf856dfa67e} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b3f969a7-6c91-4594-a418-a042cce8be07} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bc3ce04b-b40b-481d-855f-f1165d4554d0} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{be641acd-9500-4ea8-b7cc-2534c95eb5d3} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c08cd4e6-ed0c-499b-a86a-23addf8f41be} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d994b6d8-32bf-4b39-afa6-a5701087dca4} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e6395f5e-8e54-4392-8bce-d433fb0b695e} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{6b10aa55-a6c1-4dc1-a3a2-bf29b8609575} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{545ff516-2988-4011-b624-d15cdfbed726} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{649a8636-c032-43a7-900a-e5a10ccece0e} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8e8c12ea-f69f-41b5-95f4-98fb0423a05a} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{baa595e3-f6a6-492a-bc15-9a0f88dce8b9} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c16cb848-655a-4695-be7a-af50b9fa4f13} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de07e8e2-ba1b-42c2-8bc0-5ac730e0d624} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dee3cc26-fadc-4875-b9b1-8eb1a71f5449} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e9f71018-d1f1-45f3-8872-c9eaa2d52214} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f58fd645-2555-46c2-9842-b826f1a39838} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f5be064c-7d8a-4253-940d-3de6a538fdbf} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03cc8261-49cc-4a09-bdc8-a1d81f88a6f5} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{060f103a-fa2d-45d0-8b1c-4e71d111aed6} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0879b92f-d3dc-4835-a134-83969a12af73} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3064afbf-23b5-4794-a1d7-3c0d5188bead} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{653d3ff4-3c82-4248-be3f-24dbd8f48142} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7be57914-454f-4149-bb0e-054194e64693} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8a0be755-6bc0-4298-b51d-5f94b93357b7} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{914a80e6-94b7-4b42-a31b-2fde6abd0411} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a0df63d4-3c61-4fa8-ae92-aa4b3f794024} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{acb2da47-50b3-4d4b-ae48-703531a91f94} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb044f38-e542-423b-9701-8d31957bd0ac} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d593aff0-9f4f-4e7d-886b-11e1bc63b98c} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eec98240-0748-44fc-89f4-cb9216459e1f} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fb03e1ad-6946-4cf9-a2cb-d5c53dcf9583} (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinPC Antivirus (Rogue.WinPCAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.backupengine (Rogue.AntiSpyKit) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Sweeper_is1 (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Malware Sweeper (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware sweeper (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\All Users\Start Menu\Programs\MalwareSweeper.com (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwaresweeper.com\Malware Sweeper (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
C:\Program Files\MalwareSweeper.com\MalwareSweeper (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Patches (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\Application Data\PCenter (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\dbases (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\keys (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\temp (Rogue.PCenter) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\msb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\md5.dll (Rogue.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwaresweeper.com\Malware Sweeper.lnk (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwaresweeper.com\malware sweeper\Help.lnk (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwaresweeper.com\malware sweeper\Uninstall.lnk (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\agent.exe (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Alert.swf (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\browse.swf (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\db.ini (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\DB1.ms1 (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\DB2.MS1 (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Def1.ms1 (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Def2.ms1 (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Engine.dll (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\English.inf (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\English.jpg (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Errors.txt (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Help.chm (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Main.skn (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Main.swf (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\MalSwep.exe (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Message.swf (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Scan Session.txt (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\scan.swf (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Splash.spl (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Trial.swf (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\unins000.dat (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\unins000.exe (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\update.cli (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\update.exe (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\program files\malwaresweeper.com\malwaresweeper\Patches\mwswfr.exe (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\dbases\mw.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\dbases\rd.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\dbases\sc.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\dbases\sm.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\keys\cg.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\keys\rd.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\keys\sc.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\keys\sp.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\temp\settings.ini (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\PCenter\temp\spfilter (Rogue.PCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#8 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 09 June 2009 - 04:51 PM

Oh also some of my icons in the task bar seem to disappear and reappear on different restarts. My firewall (Comodo) is an example, I know its running because the box comes up now and again and also the running processes in the task manager that should be running are. It just seems weird how they come and go. Could this be related to the problem?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:53 AM

Posted 09 June 2009 - 05:25 PM

SpywareTerminatorUpdate.exe (should I uninstall this?)


You either uninstall it.


We will take care of the Google updater/installer, I removed the service and it phoned home and installed a new service.
All the appearing and disappearing icons are related to the malware and the process of removing them.

Note: Run Combofix without renaming. If it didn't run change the name to steve.exe and run it.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#10 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 10 June 2009 - 03:59 PM

Right, I've had a bit of a mare trying to turn off Comodo Internet Security while Combofix runs. Even when the taskbar icon did show up and I right clicked to close, Combofix would tell me it was still running. The only way I could ensure it wasn't running was to uninstall it.

I was a bit worried about running without a firewall but I had to so Combofix could download the recovery console. I re-installed it afterwards to get back on the web and post this. I hope this is ok, I know you recommended against install/uninstalling during the process.

Anyway a screen popped up midway through Combofix mentioning several items it had removed and to note them down before the reset. To save writing them all I took a quick pic with my phone. If these weren't included in the log and you need them you'll have to let me know.

Also I've noticed the Google links have gone again. I've noticed I can tell just by looking as the text in Google (for the search results) is bigger than it should be. When it went back to normal it was the correct, smaller size. Also after I reset after re-installing the firewall I've blocked svchost again a couple of times.

I'm not sure if this is too much information but wasn't sure what was relevant and what wasn't.

Anyway below is the log and thanks once again for all your invaluable help which I am very grateful for:

ComboFix 09-06-09.06 - LAPTOPALL 06/10/2009 21:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.153 [GMT 1:00]
Running from: c:\documents and settings\LAPTOPALL\Desktop\Steve.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACppekdjttmllapjc.sys
c:\windows\system32\UACbsrjymftakkcfkk.log
c:\windows\system32\UAChibpntjkpqvywxj.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClqgwylippwvhwys.dll
c:\windows\system32\UACopookxlqbsprfil.log
c:\windows\system32\UACtbjixejjlgunsxp.dll
c:\windows\system32\UACtpedodhidumsuvj.dll
c:\windows\system32\UACusdwyacbpvpksus.dll
c:\windows\system32\UACwbwqqowuynmspkr.log
c:\windows\system32\UACwxemdoelkglojxs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 19:11 . 2009-06-10 19:14 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-09 20:32 . 2009-06-09 20:32 -------- d-----w- c:\docume~1\LAPTOP~1\APPLIC~1\Malwarebytes
2009-06-09 19:53 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 19:53 . 2009-06-09 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 19:53 . 2009-06-09 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 19:53 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 16:21 . 2009-06-08 16:21 -------- d-----w- c:\program files\Advanced Spyware Remover
2009-06-08 16:17 . 2009-06-09 21:09 -------- d-----w- c:\program files\MalwareSweeper.com
2009-06-08 16:12 . 2004-05-11 09:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-08 16:12 . 2003-11-19 13:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-08 16:12 . 2000-07-15 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-07 21:06 . 2009-06-07 21:06 -------- d-----w- c:\documents and settings\LAPTOPALL\Local Settings\Application Data\COMODO
2009-06-07 20:38 . 2009-06-10 20:02 1664 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-05 19:30 . 2009-06-07 21:12 -------- d-----w- c:\program files\Malware Immunizer
2009-06-05 15:40 . 2009-06-05 18:58 -------- d-----w- c:\windows\BDOSCAN8
2009-05-29 08:21 . 2009-05-29 08:21 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-05-29 07:31 . 2009-06-06 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-05-29 07:30 . 2009-06-07 21:11 -------- d-----w- c:\program files\PCPitstop
2009-05-28 12:24 . 2009-06-08 15:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-28 12:24 . 2009-06-08 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 12:23 . 2007-10-23 08:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2009-05-28 12:18 . 2009-05-28 12:18 108544 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 11:07 . 2008-05-02 09:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-05-28 11:07 . 2009-05-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-05-28 11:04 . 2009-05-28 11:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Innovative Solutions
2009-05-28 11:04 . 2009-05-28 11:04 -------- d-----w- c:\program files\Innovative Solutions
2009-05-28 10:48 . 2009-05-28 10:48 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-28 10:48 . 2009-05-28 10:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-27 15:17 . 2009-05-27 15:26 -------- d-----w- c:\documents and settings\LAPTOPALL\.housecall6.6
2009-05-27 08:57 . 2009-05-27 15:17 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-26 17:47 . 2009-06-10 20:03 -------- d-----w- c:\program files\COMODO
2009-05-26 17:42 . 2009-05-26 17:42 -------- d-----w- c:\program files\SpywareBlaster
2009-05-12 16:34 . 2009-05-12 16:34 -------- d-----w- C:\8ebed62a43e2bae323ab4dad49e95a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 20:28 . 2007-04-25 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-08 16:43 . 2008-02-18 22:02 -------- d-----w- c:\program files\www.freewordexcelpassword.com
2009-06-08 10:31 . 2008-11-21 19:33 -------- d-----w- c:\docume~1\LAPTOP~1\APPLIC~1\U3
2009-06-07 21:09 . 2006-04-07 20:15 -------- d-----w- c:\program files\Google
2009-06-07 21:08 . 2005-09-02 15:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-07 21:07 . 2006-03-05 21:26 -------- d-----w- c:\program files\Absolute MP3 Splitter
2009-06-07 19:26 . 2006-01-28 18:30 -------- d-----w- c:\program files\WinAVI VideoConverter
2009-06-05 15:09 . 2009-03-20 10:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 14:34 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47d6.tmp
2009-06-05 14:33 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47f5.tmp
2009-06-05 14:32 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP48ef.tmp
2009-06-05 14:31 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP495e.tmp
2009-06-02 07:25 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP48e0.tmp
2009-06-02 07:24 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP491e.tmp
2009-06-02 07:24 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP495d.tmp
2009-06-02 07:23 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4c0c.tmp
2009-05-29 09:14 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP46ec.tmp
2009-05-29 09:13 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47c8.tmp
2009-05-29 09:13 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4759.tmp
2009-05-29 09:12 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47c7.tmp
2009-05-29 09:11 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47a8.tmp
2009-05-29 09:10 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP476b.tmp
2009-05-29 09:09 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4798.tmp
2009-05-29 09:09 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP476a.tmp
2009-05-29 09:08 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP473a.tmp
2009-05-29 09:07 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP474a.tmp
2009-05-29 09:06 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47a7.tmp
2009-05-29 09:05 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4853.tmp
2009-05-29 09:05 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4a09.tmp
2009-05-29 09:04 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47b7.tmp
2009-05-29 09:03 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4769.tmp
2009-05-29 09:02 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP468e.tmp
2009-05-27 12:35 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7b4a.tmp
2009-05-27 12:19 . 2007-04-09 17:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 08:28 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP82bc.tmp
2009-05-27 08:27 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP8136.tmp
2009-05-27 08:26 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP8a9c.tmp
2009-05-26 21:07 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7a6f.tmp
2009-05-26 21:00 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7fee.tmp
2009-05-26 20:31 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP75eb.tmp
2009-05-26 20:29 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP787b.tmp
2009-05-26 20:29 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP87ec.tmp
2009-05-26 19:26 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP823f.tmp
2009-05-26 19:25 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7ce0.tmp
2009-05-26 14:31 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP690a.tmp
2009-05-19 14:08 . 2006-01-05 16:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-04-29 11:13 . 2009-03-06 21:02 -------- d-----w- c:\program files\PokerStars
2009-04-29 07:01 . 2009-04-29 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2009-04-29 07:01 . 2009-04-29 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-29 06:57 . 2006-09-08 21:04 -------- d-----w- c:\program files\Sony Ericsson
2009-04-28 18:38 . 2009-04-28 18:38 -------- d-----w- c:\docume~1\LAPTOP~1\APPLIC~1\uniblue
2009-04-28 18:34 . 2009-04-28 18:34 -------- d-----w- c:\program files\Uniblue
2009-04-28 18:32 . 2005-12-16 19:12 108544 ----a-w- c:\documents and settings\LAPTOPALL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 18:20 . 2007-04-25 14:59 -------- d-----w- c:\program files\Kontiki
2009-04-28 18:06 . 2009-04-28 18:06 -------- d-----w- c:\program files\MSBuild
2009-04-28 18:06 . 2009-04-28 18:06 -------- d-----w- c:\program files\Reference Assemblies
2009-04-28 17:38 . 2009-04-28 17:38 -------- d-----w- c:\program files\MSXML 6.0
2009-04-20 18:54 . 2006-01-15 12:59 -------- d-----w- c:\program files\FlashFXP
2009-04-05 17:37 . 2009-04-05 17:37 40 ----a-w- c:\windows\ujf635.bin
2009-03-20 10:32 . 2008-10-17 11:59 4175441 ----a-w- c:\windows\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 339968]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-11 118784]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1077327]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"Auto EPSON Stylus Photo R300 Series on MAIN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"\\HOME\EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-28 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-01-21 266240]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\LAPTOPALL\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-24 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-1-14 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TOSCDSPD"=c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"CFSServ.exe"=CFSServ.exe -NoClient
"NDSTray.exe"=NDSTray.exe
"Ulead Quick-Drop"="c:\program files\Ulead Systems\Ulead DVD MovieFactory 5 Plus\Ulead DVD MovieFactory 5\Quick-Drop.exe" WINDOWCALL
"snpstd"=c:\windows\vsnpstd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"= c:\\Program Files\\FlashFXP\\FlashFXP.exe
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys --> c:\windows\system32\DRIVERS\ggflt.sys [?]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\drivers\Navcar.sys [10/23/2008 22:13 30329]
S3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [7/7/2006 12:33 15104]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [10/23/2008 22:31 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [10/23/2008 22:31 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [10/23/2008 22:31 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [10/23/2008 22:31 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [10/23/2008 22:31 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [10/23/2008 22:31 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [10/23/2008 22:31 115752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-09 14:48]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 14:50]

2009-06-10 c:\windows\Tasks\User_Feed_Synchronization-{B1AA1081-2C11-4DDD-AECC-3B6C97BEBFFE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?f1bd46cfb7074b788c6380eeae16ba7e
IE: Open in new foreground tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?f1bd46cfb7074b788c6380eeae16ba7e
IE: {{40B2063F-DB01-4962-BE63-59435C01283C} - c:\progra~1\DAILYS~1\client.exe
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 21:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3837644272-3011574939-2102597243-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B18D88A0-832A-6AF1-4FDE-BA7E61D88448}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaejmlniphghhkdmffef"=hex:6b,61,63,69,6b,6e,62,63,66,69,67,6a,6e,61,6d,67,6b,
64,6f,63,67,69,00,00
"iaoikhcdfjachlpeho"=hex:6b,61,63,69,6b,6e,62,63,66,69,67,6a,6e,61,6d,67,6b,64,
6f,63,67,69,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-10 21:32
ComboFix-quarantined-files.txt 2009-06-10 20:32

Pre-Run: 14,520,242,176 bytes free
Post-Run: 14,679,015,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=T3BEV8 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=T3BEV8-BAK

257 --- E O F --- 2009-05-12 19:01

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:53 AM

Posted 10 June 2009 - 04:36 PM

  • Please go to Add/Remove programs and uninstall: Google Update Helper
    This should take care of the notification at startup.

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    File::
    c:\windows\Tasks\Google Software Updater.job
    Folder::
    c:\program files\Google\Common\Google Updater
    REGNULL::
    [HKEY_USERS\S-1-5-21-3837644272-3011574939-2102597243-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B18D88A0-832A-6AF1-4FDE-BA7E61D88448}*]
    RegLockDel::
    [HKEY_USERS\S-1-5-21-3837644272-3011574939-2102597243-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B18D88A0-832A-6AF1-4FDE-BA7E61D88448}]
    Driver::
    gusvc

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Please copy and paste a fresh Hijackthis log to your reply. Tell me also how is your computer running.


#12 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 10 June 2009 - 05:56 PM

Google Update Helper wasn't on my Add/Remove programs list but I followed the rest of the instructions regarding Combofix.

Before I did this the computer was running slow and I had the Google problem but since it has ran I lot quicker, perfect even and the Google problem is sorted again. My Comodo taskbar icon is however still missing even though I believe it is still running. I'm also not getting the Internet Explorer box popping up too when I open IE which is also good.

I have been messing about with this for about 4 hours now so going to go to bed but in the morning I will get up and see if everything is back to normal.

Here is a copy of the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:53:33, on 6/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Downloads\Programs\Security\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en&source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series on MAIN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P43 "Auto EPSON Stylus Photo R300 Series on MAIN" /O14 "\\MAIN\Printer" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\HOME\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P37 "\\HOME\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?f1bd46cfb7074b788c6380eeae16ba7e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?f1bd46cfb7074b788c6380eeae16ba7e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Daily Star Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DAILYS~1\client.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://express.foto.com/ImageUploader5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37500.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.wrexham.gov.uk/webcam/AxisCamControl.bin
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 12167 bytes

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:53 AM

Posted 11 June 2009 - 03:01 AM

You must have been very tired as you forget to post the ComboFix log. I hope you could sleep well.
FYI svchost.exe is a legit and vital Windows process initiating many services on the computer. You should not block it from accessing internet.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Please go to start => Run => Copy and paste the following text in the run box and click OK:

    c:\combofix.txt

    A log file will open. Copy and paste the content to your reply.


#14 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 11 June 2009 - 04:22 AM

Right I've ran Hijack This and got rid of that one item and the log from Combofix is below.

My Laptop is running a lot slower again this morning since startup. I allowed Explorer.exe through my firewall which requested about the same time as I started IE but I blocked KService as my firewall advised it.

My computer has automatically downloaded a windows update but I haven't double clicked to install it yet.

Also when I open my EMail Client (Outlook Express 6) the Send/Receive button is ghosted, this has not occured before.

Combofix Log:

ComboFix 09-06-09.06 - LAPTOPALL 06/10/2009 23:11.2 - NTFSx86
Running from: c:\downloads\Programs\Security\ComboFix.exe
Command switches used :: c:\downloads\Programs\Security\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\windows\Tasks\Google Software Updater.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Google\Common\Google Updater
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\Tasks\Google Software Updater.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GUSVC
-------\Service_gusvc


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 20:35 . 2009-06-10 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-06-10 20:35 . 2009-06-10 20:35 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-06-10 20:35 . 2009-06-10 20:35 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-06-10 20:35 . 2009-06-10 20:35 168208 ----a-w- c:\windows\system32\guard32.dll
2009-06-10 20:35 . 2009-06-10 20:35 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-06-10 19:11 . 2009-06-10 19:14 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-09 20:32 . 2009-06-09 20:32 -------- d-----w- c:\docume~1\LAPTOP~1\APPLIC~1\Malwarebytes
2009-06-09 19:53 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 19:53 . 2009-06-09 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 19:53 . 2009-06-09 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 19:53 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 16:21 . 2009-06-08 16:21 -------- d-----w- c:\program files\Advanced Spyware Remover
2009-06-08 16:17 . 2009-06-09 21:09 -------- d-----w- c:\program files\MalwareSweeper.com
2009-06-08 16:12 . 2004-05-11 09:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-08 16:12 . 2003-11-19 13:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-08 16:12 . 2000-07-15 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-07 21:06 . 2009-06-07 21:06 -------- d-----w- c:\documents and settings\LAPTOPALL\Local Settings\Application Data\COMODO
2009-06-07 20:38 . 2009-06-10 22:30 42128 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-05 19:30 . 2009-06-07 21:12 -------- d-----w- c:\program files\Malware Immunizer
2009-06-05 15:40 . 2009-06-05 18:58 -------- d-----w- c:\windows\BDOSCAN8
2009-05-29 08:21 . 2009-05-29 08:21 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-05-29 07:31 . 2009-06-06 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-05-29 07:30 . 2009-06-07 21:11 -------- d-----w- c:\program files\PCPitstop
2009-05-28 12:24 . 2009-06-08 15:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-28 12:24 . 2009-06-08 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 12:23 . 2007-10-23 08:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2009-05-28 12:18 . 2009-05-28 12:18 108544 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 11:07 . 2008-05-02 09:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-05-28 11:07 . 2009-05-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-05-28 11:04 . 2009-05-28 11:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Innovative Solutions
2009-05-28 11:04 . 2009-05-28 11:04 -------- d-----w- c:\program files\Innovative Solutions
2009-05-28 10:48 . 2009-05-28 10:48 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-28 10:48 . 2009-05-28 10:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-27 15:17 . 2009-05-27 15:26 -------- d-----w- c:\documents and settings\LAPTOPALL\.housecall6.6
2009-05-27 08:57 . 2009-05-27 15:17 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-26 17:47 . 2009-06-10 20:35 -------- d-----w- c:\program files\COMODO
2009-05-26 17:42 . 2009-05-26 17:42 -------- d-----w- c:\program files\SpywareBlaster
2009-05-12 16:34 . 2009-05-12 16:34 -------- d-----w- C:\8ebed62a43e2bae323ab4dad49e95a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 22:37 . 2007-04-25 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-08 16:43 . 2008-02-18 22:02 -------- d-----w- c:\program files\www.freewordexcelpassword.com
2009-06-08 10:31 . 2008-11-21 19:33 -------- d-----w- c:\docume~1\LAPTOP~1\APPLIC~1\U3
2009-06-07 21:09 . 2006-04-07 20:15 -------- d-----w- c:\program files\Google
2009-06-07 21:08 . 2005-09-02 15:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-07 21:07 . 2006-03-05 21:26 -------- d-----w- c:\program files\Absolute MP3 Splitter
2009-06-07 19:26 . 2006-01-28 18:30 -------- d-----w- c:\program files\WinAVI VideoConverter
2009-06-05 15:09 . 2009-03-20 10:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 14:34 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47d6.tmp
2009-06-05 14:33 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47f5.tmp
2009-06-05 14:32 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP48ef.tmp
2009-06-05 14:31 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP495e.tmp
2009-06-02 07:25 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP48e0.tmp
2009-06-02 07:24 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP491e.tmp
2009-06-02 07:24 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP495d.tmp
2009-06-02 07:23 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4c0c.tmp
2009-05-29 09:14 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP46ec.tmp
2009-05-29 09:13 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47c8.tmp
2009-05-29 09:13 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4759.tmp
2009-05-29 09:12 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47c7.tmp
2009-05-29 09:11 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47a8.tmp
2009-05-29 09:10 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP476b.tmp
2009-05-29 09:09 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4798.tmp
2009-05-29 09:09 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP476a.tmp
2009-05-29 09:08 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP473a.tmp
2009-05-29 09:07 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP474a.tmp
2009-05-29 09:06 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47a7.tmp
2009-05-29 09:05 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4853.tmp
2009-05-29 09:05 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4a09.tmp
2009-05-29 09:04 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP47b7.tmp
2009-05-29 09:03 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP4769.tmp
2009-05-29 09:02 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP468e.tmp
2009-05-27 12:35 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7b4a.tmp
2009-05-27 12:19 . 2007-04-09 17:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 08:28 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP82bc.tmp
2009-05-27 08:27 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP8136.tmp
2009-05-27 08:26 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP8a9c.tmp
2009-05-26 21:07 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7a6f.tmp
2009-05-26 21:00 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7fee.tmp
2009-05-26 20:31 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP75eb.tmp
2009-05-26 20:29 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP787b.tmp
2009-05-26 20:29 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP87ec.tmp
2009-05-26 19:26 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP823f.tmp
2009-05-26 19:25 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP7ce0.tmp
2009-05-26 14:31 . 2005-12-16 13:11 94208 ----a-w- c:\windows\DUMP690a.tmp
2009-05-19 14:08 . 2006-01-05 16:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-04-29 11:13 . 2009-03-06 21:02 -------- d-----w- c:\program files\PokerStars
2009-04-29 07:01 . 2009-04-29 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2009-04-29 07:01 . 2009-04-29 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-29 06:57 . 2006-09-08 21:04 -------- d-----w- c:\program files\Sony Ericsson
2009-04-28 18:38 . 2009-04-28 18:38 -------- d-----w- c:\docume~1\LAPTOP~1\APPLIC~1\uniblue
2009-04-28 18:34 . 2009-04-28 18:34 -------- d-----w- c:\program files\Uniblue
2009-04-28 18:32 . 2005-12-16 19:12 108544 ----a-w- c:\documents and settings\LAPTOPALL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 18:20 . 2007-04-25 14:59 -------- d-----w- c:\program files\Kontiki
2009-04-28 18:06 . 2009-04-28 18:06 -------- d-----w- c:\program files\MSBuild
2009-04-28 18:06 . 2009-04-28 18:06 -------- d-----w- c:\program files\Reference Assemblies
2009-04-28 17:38 . 2009-04-28 17:38 -------- d-----w- c:\program files\MSXML 6.0
2009-04-20 18:54 . 2006-01-15 12:59 -------- d-----w- c:\program files\FlashFXP
2009-04-05 17:37 . 2009-04-05 17:37 40 ----a-w- c:\windows\ujf635.bin
2009-03-20 10:32 . 2008-10-17 11:59 4175441 ----a-w- c:\windows\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_20.28.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 22:32 . 2009-06-10 22:32 16384 c:\windows\temp\Perflib_Perfdata_85c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 339968]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-11 118784]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1077327]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"Auto EPSON Stylus Photo R300 Series on MAIN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"\\HOME\EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-28 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-06-10 1794320]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-01-21 266240]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\LAPTOPALL\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-24 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-1-14 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TOSCDSPD"=c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"CFSServ.exe"=CFSServ.exe -NoClient
"NDSTray.exe"=NDSTray.exe
"Ulead Quick-Drop"="c:\program files\Ulead Systems\Ulead DVD MovieFactory 5 Plus\Ulead DVD MovieFactory 5\Quick-Drop.exe" WINDOWCALL
"snpstd"=c:\windows\vsnpstd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"= c:\\Program Files\\FlashFXP\\FlashFXP.exe
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [6/10/2009 21:35 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/10/2009 21:35 24096]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys --> c:\windows\system32\DRIVERS\ggflt.sys [?]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\drivers\Navcar.sys [10/23/2008 22:13 30329]
S3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [7/7/2006 12:33 15104]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [10/23/2008 22:31 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [10/23/2008 22:31 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [10/23/2008 22:31 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [10/23/2008 22:31 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [10/23/2008 22:31 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [10/23/2008 22:31 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [10/23/2008 22:31 115752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 14:50]

2009-06-10 c:\windows\Tasks\User_Feed_Synchronization-{B1AA1081-2C11-4DDD-AECC-3B6C97BEBFFE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?f1bd46cfb7074b788c6380eeae16ba7e
IE: Open in new foreground tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?f1bd46cfb7074b788c6380eeae16ba7e
IE: {{40B2063F-DB01-4962-BE63-59435C01283C} - c:\progra~1\DAILYS~1\client.exe
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 23:33
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\guard32.dll
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\acs.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\rundll32.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Kontiki\KService.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2009-06-10 23:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 22:43
ComboFix2.txt 2009-06-10 20:32

Pre-Run: 14,396,710,912 bytes free
Post-Run: 14,336,045,056 bytes free

282 --- E O F --- 2009-05-12 19:01

#15 steveh8204

steveh8204
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Wrexham
  • Local time:08:53 AM

Posted 11 June 2009 - 05:47 AM

My computer is running a lot better now. Still got the OE problem though.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users