Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with log file, please.


  • This topic is locked This topic is locked
34 replies to this topic

#1 Jrox

Jrox

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 15 January 2010 - 09:20 AM

My browser is constantly freezing and painfully slow when running. A copy of my log is attached below. Thank you.
=========================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:08 AM, on 1/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Data\Downloads\Hijackthis\HijackThis.exe

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - http://www.yougamers.com/systeminfo/FMSI.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: indows\system32\tajavota.dll zeyoheko.dll c:\windows\system32\ c:\windows\system32\bevozeti.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: wohurizey - {d115c563-1b52-4293-9b24-ed940016aee7} - c:\windows\system32\bevozeti.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {d115c563-1b52-4293-9b24-ed940016aee7} - c:\windows\system32\bevozeti.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8346 bytes


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:07 AM

Posted 21 January 2010 - 10:01 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 Jrox

Jrox
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 22 January 2010 - 06:39 PM

Thank you for getting back to me. My DDS log follows. I have not run any diagnostics or scans since my original post.
===================================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Randy at 18:33:11.31 on Fri 01/22/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2510 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100122-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Randy\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.15\AsRunHelp.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://www.yougamers.com/systeminfo/FMSI.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: indows\system32\tajavota.dll zeyoheko.dll c:\windows\system32\ c:\windows\system32\bevozeti.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: wohurizey - {d115c563-1b52-4293-9b24-ed940016aee7} - c:\windows\system32\bevozeti.dll
STS: jugezatag: {d115c563-1b52-4293-9b24-ed940016aee7} - c:\windows\system32\bevozeti.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = ll hubajobu.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-4 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-10-14 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-10-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-10-14 352920]
S3 cpuz130;cpuz130;\??\c:\docume~1\randy\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\randy\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2009-12-30 16:11:39 0 d-----w- c:\program files\VideoLAN
2009-12-30 00:16:02 0 d-----w- c:\docume~1\randy\applic~1\DriverCure
2009-12-30 00:15:56 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-12-30 00:15:56 0 d-----w- c:\docume~1\alluse~1\applic~1\DriverCure

==================== Find3M ====================

2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-13 13:09:27 161708 ----a-w- c:\windows\hpoins36.dat
2009-11-21 08:46:32 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-10-28 21:49:40 215104 ----a-w- c:\windows\system32\PnkBstrB.exe

============= FINISH: 18:33:36.81 ===============

Attached Files



#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 23 January 2010 - 06:04 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Jrox

Jrox
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 24 January 2010 - 09:38 AM

thcbytes...Thank you. I have followed all of your instructions and my combofix log follows, as requested.
===================================================

ComboFix 10-01-23.06 - Randy 01/24/2010 9:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2585 [GMT -5:00]
Running from: c:\documents and settings\Randy\Desktop\thcbytes.exe
AV: avast! antivirus 4.8.1368 [VPS 100124-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\ctd20x.dat
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPHW.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0246W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0355W.DAT
c:\windows\system32\Data\CTP0358W.DAT
c:\windows\system32\Data\CTP0359W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0460W.DAT
c:\windows\system32\Data\CTP0462W.DAT
c:\windows\system32\Data\CTP0463W.DAT
c:\windows\system32\Data\CTP0464W.DAT
c:\windows\system32\Data\CTP0465W.DAT
c:\windows\system32\Data\CTP0466W.DAT
c:\windows\system32\Data\CTP0468W.DAT
c:\windows\system32\Data\CTP0469W.DAT
c:\windows\system32\Data\CTP046AW.DAT
c:\windows\system32\Data\CTP046BW.DAT
c:\windows\system32\Data\CTP046CW.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0531L.DAT
c:\windows\system32\Data\CTP0531W.DAT
c:\windows\system32\Data\CTP0550W.DAT
c:\windows\system32\Data\CTP055AW.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0669W.DAT
c:\windows\system32\Data\CTP0679W.DAT
c:\windows\system32\Data\CTP0730W.DAT
c:\windows\system32\Data\CTP073AW.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\Data\cts20x.dat
c:\windows\system32\Data\CTXFICBM.RFX
c:\windows\system32\Data\CTXFICM.RFX
c:\windows\system32\Data\CTXFIEM.RFX
c:\windows\system32\Data\CTXFIGM.RFX
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2009-12-30 16:13 . 2009-12-30 18:18 -------- d-----w- c:\documents and settings\Randy\Application Data\dvdcss
2009-12-30 16:12 . 2010-01-08 03:28 -------- d-----w- c:\documents and settings\Randy\Application Data\vlc
2009-12-30 16:11 . 2009-12-30 16:11 -------- d-----w- c:\program files\VideoLAN
2009-12-30 00:22 . 2009-12-30 00:22 -------- d-----w- c:\documents and settings\Randy\Local Settings\Application Data\Help
2009-12-30 00:16 . 2009-12-30 00:16 -------- d-----w- c:\documents and settings\Randy\Application Data\DriverCure
2009-12-30 00:15 . 2009-12-30 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-12-30 00:15 . 2009-12-30 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 14:22 . 2009-11-21 22:44 -------- d-----w- c:\documents and settings\Randy\Application Data\HPAppData
2010-01-14 00:43 . 2009-11-22 19:18 -------- d-----w- c:\program files\Steam
2010-01-09 14:10 . 2009-12-19 13:16 52224 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-09 14:10 . 2009-10-11 16:19 117760 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-02 17:54 . 2009-10-10 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 17:54 . 2009-12-06 17:39 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-30 19:55 . 2009-10-10 16:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54 . 2009-10-10 16:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 05:42 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2009-08-28 16:40 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-21 02:15 . 2009-12-21 02:15 62464 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\cache\6.0\39\1af9ba7-7ac77040-n\avutil-49.dll
2009-12-21 02:15 . 2009-12-21 02:15 516096 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\cache\6.0\39\1af9ba7-7ac77040-n\ivjni.dll
2009-12-21 02:15 . 2009-12-21 02:15 288361 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\cache\6.0\39\1af9ba7-7ac77040-n\libmp3lame-0.dll
2009-12-21 02:15 . 2009-12-21 02:15 1941504 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\cache\6.0\39\1af9ba7-7ac77040-n\avcodec-51.dll
2009-12-21 02:15 . 2009-12-21 02:15 107520 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\cache\6.0\39\1af9ba7-7ac77040-n\avformat-52.dll
2009-12-19 15:23 . 2009-12-19 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-19 15:01 . 2009-12-19 14:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-18 00:12 . 2007-10-14 21:46 -------- d-----w- c:\documents and settings\Randy\Application Data\LimeWire
2009-12-13 13:10 . 2007-10-14 21:07 99952 ----a-w- c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-13 13:10 . 2009-11-21 21:53 -------- d-----w- c:\documents and settings\Randy\Application Data\HP
2009-12-13 13:09 . 2009-11-21 21:41 161708 ----a-w- c:\windows\hpoins36.dat
2009-12-13 13:07 . 2009-11-21 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-12-13 13:05 . 2007-10-14 18:28 -------- d-----w- c:\program files\HP
2009-12-13 13:04 . 2009-12-13 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-04 01:40 . 2009-09-19 15:05 -------- d-----w- c:\program files\LimeWire
2009-11-24 23:54 . 2007-10-14 21:01 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-10-14 21:01 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-10-14 21:01 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-04 12:30 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-04 12:30 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-10-14 21:01 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-10-14 21:01 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-10-14 21:01 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-10-14 21:01 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-23 18:11 . 2009-11-23 18:11 152576 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-23 18:11 . 2009-11-23 18:11 79488 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 08:46 . 2009-11-21 08:46 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-10-30 16:19 . 2009-10-30 16:19 203608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-28 21:49 . 2007-10-15 01:37 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-28 21:30 . 2007-10-15 01:37 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.15\AsRunHelp.exe" [2006-11-14 363008]
"CTHelper"="CTHELPER.EXE" [2006-08-17 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 18944]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-25 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/4/2008 7:30 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2008 7:30 AM 20560]
S3 cpuz130;cpuz130;\??\c:\docume~1\Randy\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Randy\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{d115c563-1b52-4293-9b24-ed940016aee7} - c:\windows\system32\bevozeti.dll
SSODL-wohurizey-{d115c563-1b52-4293-9b24-ed940016aee7} - c:\windows\system32\bevozeti.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(4040)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\PnkBstrB.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-01-24 09:35:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 14:35
ComboFix2.txt 2007-12-22 20:54

Pre-Run: 71,286,722,560 bytes free
Post-Run: 71,225,376,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 0F38E2FBEAD5F5942A1A4151C6FEF0FC

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 24 January 2010 - 03:53 PM

Well done. thumbup2.gif
Let's continue...

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

===========

excl.gif P2P Warning excl.gif

Your log indicates that you have LimeWire installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Folder::
c:\documents and settings\Randy\Application Data\DriverCure
c:\documents and settings\All Users\Application Data\DriverCure
c:\documents and settings\All Users\Application Data\ParetoLogic


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

==========

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Combofix.txt
* MBAM log
* ESET log
* Gmer log
* How is your computer running now?

Kind regards,
~t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Jrox

Jrox
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 24 January 2010 - 05:56 PM

I was only able to perform the teatimer, combofix, and cleanup tasks requested above. After running the combofix, Itried to post the log, but the forum indicates that the file is too long. It is also too large to attach. Additionally, all of my programs now appear to be gone, all of my e-mails appear to be gone, and all of my internet shortcuts also appear to be gone.

How do we proceed?

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 24 January 2010 - 06:13 PM

Serious problems with Combofix right now!!! wacko.gif We should be able to recover though.

Do this 1st......

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt


Post the contents of the logfile which will open.

Thanks,
~ t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Jrox

Jrox
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 24 January 2010 - 06:30 PM

Quarantine log is too large too post. A zip file of the log is attached.

Attached Files



#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 24 January 2010 - 07:44 PM

Well done thumbup2.gif

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

==========


We need to copy ComboFix from quarantine back to desktop

To open notepad...

Press the Windows key + R, type notepad in the run box and press Enter.

Then....

Press the Windows key + R, copy and paste the following contained in the code box excluding the word "code" and press Enter:

CODE
cmd /c Copy /y "C:\Qoobox\Quarantine\C\Documents and Settings\Randy\Desktop\thcbytes.exe.vir" "C:\Documents and Settings\Randy\Desktop\thcbytes.exe"


You should now have ComboFix back on your desktop. If not, stop and let me know.

==========

Next.......
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it excluding the word "quote":

    QUOTE
    Dequarantine::
    C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile
    C:\Qoobox\Quarantine\C\Documents and Settings
    Quit::


    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

    As it restores your computer please be patient...this is going to take some time
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

==========

With your next post please provide:

* Combofix.txt
* Does everything look to be back up and working as expected?
* Please be absolutely certain to log on to all accounts!

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 Jrox

Jrox
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 24 January 2010 - 08:41 PM

I had no sound, no e-mail folders, could not access internet, and did not have e-mail access, could not access Steam account. Also, I did not get a log after running combofix. In a panic, I performed a system restore...and this helped only some of the issues. So, I undid the restore and things seem to beck where they were and most ODD...my IE explorer is running seemingly fine.

I'm clueless at this point. How would you like to proceed? Thank you, in advance.

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 24 January 2010 - 08:59 PM

Hello,

This is a very serious situation. I just simply can not believe you did other than what I had recommended. Your last post is confusing. If you want to restore your computer to its previous state prior to the crash then you must do only as I suggest. I hope I can undo whatever else you have done. This should have been a very straightforward process. No promises now. sad.gif

Now I need precise clarification as to what you have done and the order you did it. Please start at the point that I asked you to provide me with the Combofix quarantine files.

The exact order and list of everything you did. Also a detailed description of what is happening now please!

Thanks,
~ t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 Jrox

Jrox
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 24 January 2010 - 09:29 PM

To clarify...I had seemingly lost almost my entire system including e-mail and internet access. I had NO way of responding to you after following the directions for recovering. So, my apologies for the inconvenience, but with no access to any help, I did what I had to do in order to regain my connectivity. Moving forward...Here is what I did, in order.

1.) I followed your instructions for restoring combofix to the letter. Once combofix finished running, and rebooting, it did not leave me with a log file to attach or read. While most of my desktop icons returned, including combofix, at this point, I had lost audio, internet access, e-mail, and every other online account requiring a login.

2. Consequently, I initiated a restore to Friday, 1/22/10.

3. After the restore, it appeared that some program links and critical e-mail folders did not restore. So, using Windows' utility, I undid the prior restore. When the system rebooted, following the undo, all of my programs, links, e-mail access and folders, internet access, etc. was restored. I then reinstalled my audio drivers. At this point, my system is running quickly. Far better than when we started. The only lingering effect that my untrained eye can see is that notepad launches at startup with a message (I'll have to copy and post it for you.)

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 AM

Posted 24 January 2010 - 09:36 PM

Hello,

I see.

Thanks for the clarification! thumbup2.gif

I did not mean to come off crass but frankly I was afraid that I might not be able to get you up and running again so it was based primarily out concern for you.

Please post the exact message that pops up with notepad. I suspect it is related to desktop.ini That should be easy to restore.

Please go to c:\combofix.txt and post the most recent log for my review. We still need to finish cleanup. I will carefully guide you.

I am very sorry for your troubles!!!!!!!!

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 Jrox

Jrox
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 24 January 2010 - 09:49 PM

No apology necessary. I greatly appreciate your assistance and expertise. The requested info follows.

1.) Message on desktop at bootup = [.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

2.) Most recent Combofix log: Please note that all I see is a file called "ComboFix2". This log carries a date/time stamp of 12/22/07 @ 3:10 PM. Conteents follow.
=====================

ComboFix 07-12-21.4 - Randy 2007-12-22 15:06:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2516 [GMT -5:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\d3drmi.dll
C:\WINDOWS\system32\dbnmpntwv.dll
C:\WINDOWS\system32\drivers\yvifromz.dat
C:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NXOEUAEC
-------\LEGACY_ZTAAMAZI
-------\nxoeuaec
-------\ztaamazi


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 12:41 . 2007-12-22 12:41 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-22 12:41 . 2007-12-22 12:41 741,632 --a------ C:\WINDOWS\system32\jvhubasb.dat
2007-12-22 12:41 . 2007-12-22 12:41 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-22 12:41 . 2007-12-22 12:41 42,240 --a------ C:\WINDOWS\system32\aigtzujn.dat
2007-12-22 12:41 . 2007-12-22 12:41 36,096 --a------ C:\WINDOWS\system32\nfufacsx.dat
2007-12-22 12:41 . 2007-12-22 12:41 35,072 --a------ C:\WINDOWS\system32\cervvadj.dat
2007-12-21 12:36 . 2007-12-21 12:36 120,576 --a------ C:\WINDOWS\system32\aidkombh.dat
2007-12-19 21:04 . 2007-12-19 21:04 7,168 --a------ C:\WINDOWS\Randy.pcb
2007-11-27 15:31 . 2007-11-27 15:31 22,328 --a------ C:\Documents and Settings\Randy\Application Data\PnkBstrK.sys
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Activision
2007-11-27 15:15 . 2007-11-27 15:15 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-11-25 10:46 . 2007-11-25 10:46 <DIR> d-------- C:\Program Files\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 18:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 17:54 --------- d-----w C:\Documents and Settings\Randy\Application Data\LimeWire
2007-12-17 01:06 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-16 00:54 --------- d-----w C:\Documents and Settings\Randy\Application Data\Ventrilo
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-02 18:18 --------- d-----w C:\Program Files\DivX
2007-11-29 18:19 --------- d-----w C:\Documents and Settings\Randy\Application Data\Apple Computer
2007-11-27 20:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 15:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 22:43 --------- d-----w C:\Documents and Settings\Randy\Application Data\SUPERAntiSpyware.com
2007-11-18 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 22:20 --------- d-----w C:\Program Files\iTunes
2007-11-08 22:20 --------- d-----w C:\Program Files\iPod
2007-11-08 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-08 22:19 --------- d-----w C:\Program Files\QuickTime
2007-11-08 22:18 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-08 22:18 --------- d-----w C:\Program Files\Apple Software Update
2007-10-29 16:01 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-29 00:34 --------- d-----w C:\Documents and Settings\Randy\Application Data\Jasc
2007-10-28 17:24 --------- d-----w C:\Documents and Settings\Randy\Application Data\Ideazon
2007-10-27 23:31 --------- d-----w C:\Program Files\Common Files\HP
2007-10-27 23:30 --------- d-----w C:\Program Files\HP
2007-10-27 23:30 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-23 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 18:15]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe" [2006-11-14 01:25]
"CTHelper"="CTHELPER.EXE" [2006-08-17 10:32 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 10:32 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 07:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-04-19 11:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 07:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 14:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 23:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-10 23:00:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 10:16]
S3 Alpham1;Ideazon Merc USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 09:56]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 11:49]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 22:18:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 15:09:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-22 15:10:03 - machine was rebooted
.
2007-12-21 17:48:19 --- E O F ---







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users