Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

May be complete clean, but?


  • This topic is locked This topic is locked
9 replies to this topic

#1 RangerRick

RangerRick

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 12 February 2012 - 10:32 AM

I just got a hand me down computer last week and after much needed scanning and cleaning with various programs I think it is okay. But there are still some weird entries I see with Hijack that have me a little uneasy. So when someone has "free" time please take a look and let me know what you think. I have tried to fix a couple of entries that I know are not needed, nick toolbar crap and smart shopper but they keep coming back. Thanks for the help.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:23:15 AM, on 2/12/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Rick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - (no file)
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: AVGRSSTX.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: Google Update Service (gupdate1c966201eadff60) (gupdate1c966201eadff60) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
O23 - Service: Wyyo Service - Unknown owner - C:\ProgramData\Wyyo\wyyo125.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4792 bytes
There are no stupid questions, only stupid results from unasked questions.

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 PM

Posted 17 February 2012 - 11:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - (no file)
O23 - Service: Wyyo Service - Unknown owner - C:\ProgramData\Wyyo\wyyo125.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.

===

Please run Notepad and copy the following text into a new file:

sc config Wyyo Service start= disabled
sc stop Wyyo Service
sc delete Wyyo Service


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. A DOS box will open and close, that is normal.
If any errors errors encountered please post.
When done you can delete the remove.bat file.

p.s. On a Vista/Windows7 Operating System run the remove.bat file as Administrator.
===

Restart the computer normally.

===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

If needed.
The scan will also create this Attach.txt log I would also like to see the content.
Please post it in a other post for my review, do not attach the file.

Posted Image

===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if you have any problems with this computer.

#3 RangerRick

RangerRick
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 17 February 2012 - 07:48 PM

Thanks for helping nasdaq. Still run fairly slow and as you can see the smartshopper add-on will not go away. I thought it was fixed when I ran HJT in safemode, but I guess not. Here are the docs you requested. I seen the major issues using Event Viewer after I posted my request for help and knew I this computer is not healthy.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005
Run by Rick at 19:18:02 on 2012-02-17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.246 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\dlcxcoms.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mSearchAssistant =
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [<NO NAME>]
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {2260D608-C844-435d-90FD-DC16CFA577F2}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CCE59B87-17A2-4A57-A437-D298CF3EB1A0} : DhcpNameServer = 192.168.0.1
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rick\appdata\roaming\mozilla\firefox\profiles\sfbp2hre.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-12 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-12 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-12 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-2-12 55128]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-12 44768]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-17 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-2-10 1153368]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-2-16 3027840]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-17 16896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c966201eadff60;Google Update Service (gupdate1c966201eadff60);c:\program files\google\update\GoogleUpdate.exe [2008-12-24 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-12-24 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-5-27 908056]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-27 297752]
S4 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-27 335240]
S4 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-3-27 27784]
S4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-4 108552]
S4 Wyyo Service;Wyyo Service;"c:\programdata\wyyo\wyyo125.exe" "c:\program files\wyyo\wyyo.dll" service --> c:\programdata\wyyo\wyyo125.exe [?]
.
=============== Created Last 30 ================
.
2012-02-18 00:15:07 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{343f4818-6ece-4802-afcd-1a91670aefbe}\mpengine.dll
2012-02-17 13:56:46 -------- d-----w- c:\users\rick\appdata\local\Mozilla
2012-02-17 03:19:25 -------- d-----w- c:\program files\TeamViewer
2012-02-14 02:03:34 -------- d-----w- c:\users\rick\appdata\roaming\OpenOffice.org
2012-02-14 01:36:36 -------- d-----w- c:\program files\OpenOffice.org 3
2012-02-14 01:33:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-12 16:31:03 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-12 16:31:01 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-02-12 16:30:05 41184 ----a-w- c:\windows\avastSS.scr
2012-02-12 16:29:16 -------- d-----w- c:\programdata\AVAST Software
2012-02-12 16:29:15 -------- d-----w- c:\program files\AVAST Software
2012-02-12 01:36:35 -------- d-----w- c:\users\rick\appdata\local\Apple
2012-02-12 00:41:06 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-02-12 00:41:05 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-12 00:41:04 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-02-12 00:41:03 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-02-12 00:41:03 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-02-12 00:41:03 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-02-12 00:41:02 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-02-12 00:41:02 189952 ----a-w- c:\windows\system32\winmm.dll
2012-02-12 00:41:00 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-02-12 00:40:58 429056 ----a-w- c:\windows\system32\EncDec.dll
2012-02-12 00:40:57 66560 ----a-w- c:\windows\system32\packager.dll
2012-02-12 00:40:22 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-02-12 00:40:11 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-02-12 00:39:21 49152 ----a-w- c:\windows\system32\csrsrv.dll
2012-02-12 00:39:12 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-02-12 00:39:11 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-02-12 00:39:05 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-12 00:39:05 278528 ----a-w- c:\windows\system32\schannel.dll
2012-02-12 00:39:03 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-02-12 00:39:03 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-12 00:39:02 9728 ----a-w- c:\windows\system32\lsass.exe
2012-02-12 00:39:02 72704 ----a-w- c:\windows\system32\secur32.dll
2012-02-12 00:38:49 2048 ----a-w- c:\windows\system32\tzres.dll
2012-02-12 00:37:59 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2012-02-12 00:37:59 238080 ----a-w- c:\windows\system32\oleacc.dll
2012-02-12 00:37:58 563712 ----a-w- c:\windows\system32\oleaut32.dll
2012-02-12 00:37:57 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2012-02-12 00:36:28 707584 ----a-w- c:\program files\common files\system\wab32.dll
2012-02-10 20:23:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-10 20:23:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-07 21:06:46 -------- d-----w- c:\programdata\AVG Security Toolbar
2012-02-07 21:00:14 -------- d-----w- c:\users\rick\appdata\local\VirtualStore
2012-02-07 20:51:27 336 ----a-w- c:\program files\temp995.bat
2012-02-07 18:06:09 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2012-01-29 10:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-12 19:52:56 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 15:59:20 834048 ----a-w- c:\windows\system32\wininet.dll
2011-12-16 14:11:42 389632 ----a-w- c:\windows\system32\html.iec
2011-12-16 13:46:35 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-14 16:17:47 680448 ----a-w- c:\windows\system32\msvcrt.dll
.
============= FINISH: 19:19:32.99 ===============



attached.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 3/19/2007 6:26:55 AM
System Uptime: 2/17/2012 6:59:22 PM (1 hours ago)
.
Motherboard: Dell Inc | | 0CT103
Processor: AMD Athlon™ 64 Processor 3200+ | Socket M2 | 2000/1000mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 94.894 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.99 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0001
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #2
PNP Device ID: ROOT\*6TO4MP\0001
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0003
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #3
PNP Device ID: ROOT\*6TO4MP\0003
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0005
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #5
PNP Device ID: ROOT\*6TO4MP\0005
Service: tunnel
.
Class GUID: {4d36e96d-e325-11ce-bfc1-08002be10318}
Description: Conexant D850 PCI V.92 Modem
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&DC268A3&0&4880
Manufacturer: Conexant
Name: Conexant D850 PCI V.92 Modem
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&DC268A3&0&4880
Service: Modem
.
==== System Restore Points ===================
.
RP2033: 2/8/2012 12:07:09 PM - Removed EarthLink Setup Files
RP2034: 2/11/2012 7:35:04 PM - Windows Update
RP2035: 2/11/2012 7:53:21 PM - Windows Update
RP2036: 2/12/2012 11:28:41 AM - avast! Free Antivirus Setup
RP2037: 2/13/2012 8:29:38 PM - Installed Java™ 6 Update 22
RP2038: 2/13/2012 8:35:03 PM - Installed OpenOffice.org 3.3
RP2039: 2/14/2012 7:36:50 AM - Windows Update
RP2040: 2/14/2012 8:04:41 AM - Installed Java™ 6 Update 30
RP2041: 2/14/2012 9:21:35 PM - Scheduled Checkpoint
RP2042: 2/15/2012 7:41:17 AM - Windows Update
RP2043: 2/15/2012 11:33:14 PM - Scheduled Checkpoint
RP2044: 2/17/2012 7:31:26 AM - Removed AOL Install
RP2045: 2/17/2012 7:06:04 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.5
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bonjour
CCleaner
Conexant D850 PCI V.92 Modem
Corel Paint Shop Pro Photo XI
Dell System Customization Wizard
Digital Line Detect
Documentation & Support Launcher
Games, Music, & Photos Launcher
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Internet Service Offers Launcher
Java Auto Updater
Java™ 6 Update 30
Java™ SE Runtime Environment 6
Logitech Vid HD
LWS Twitter
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office Word Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Modem Diagnostic Tool
Mozilla Firefox 10.0.2 (x86 en-US)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NVIDIA Drivers
OpenOffice.org 3.3
QuickTime
Roxio Central
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
SigmaTel Audio
Sonic Activation Module
Spybot - Search & Destroy
TeamViewer 7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
.
==== Event Viewer Messages From Past Week ========
.
2/17/2012 7:26:03 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
2/17/2012 7:00:36 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
2/15/2012 7:38:36 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
2/14/2012 11:24:00 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/14/2012 11:23:05 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSnx aswSP aswTdi AvgLdx86 AvgMfx86 AvgTdiX cdrom DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2012 11:23:04 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
2/14/2012 11:23:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2/14/2012 11:23:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2/14/2012 11:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
2/14/2012 11:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
2/14/2012 11:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
2/14/2012 11:22:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/14/2012 11:22:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2/13/2012 8:19:36 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
2/13/2012 11:05:50 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
2/12/2012 5:06:06 PM, Error: Service Control Manager [7024] - The AVG8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
2/12/2012 5:06:06 PM, Error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The service has returned a service-specific error code.
2/11/2012 8:46:11 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
2/11/2012 11:40:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2/10/2012 9:12:39 AM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\Rick\AppData\Local\Microsoft\Windows\UsrClass.dat' was corrupted and it has been recovered. Some data might have been lost.
2/10/2012 3:28:55 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.22.12.64 for the Network Card with network address 00188B86FE67 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/10/2012 3:22:43 PM, Error: EventLog [6008] - The previous system shutdown at 11:13:42 AM on 2/10/2012 was unexpected.
.
==== End Of File ===========================



Results of screen317's Security Check version 0.99.31
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Spybot - Search & Destroy
CCleaner
Java™ 6 Update 30
Java™ SE Runtime Environment 6
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (10.0.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Spybot Teatimer.exe is disabled!
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:40:52 PM, on 2/17/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Users\Rick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - (no file)
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: Google Update Service (gupdate1c966201eadff60) (gupdate1c966201eadff60) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 4052 bytes

RangerRick
There are no stupid questions, only stupid results from unasked questions.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 PM

Posted 18 February 2012 - 09:52 AM

Open Notepad copy and paste the below, "Save As" remove.reg
In the "Save as type" select: All files

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{53F6FCCD-9E22-4d71-86EA-6E43136192AB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{925DAB62-F9AC-4221-806A-057BFB1014AA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]


Locate remove.reg right-click and select: Merge (ok the prompt)
On a Vista computer Right click and run as an Administrator.
===

Restart the computer normally.
===

Remove this old version of Java™ SE Runtime Environment 6 using the Add/Remove Programs list.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#5 RangerRick

RangerRick
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 18 February 2012 - 08:08 PM

It took a long time as you can see by the log file. Reminds me of my old Win 3.1 computers in speed and movement of the hard drive. Thanks again for the help which if I read the log file correctly is not over.

ComboFix 12-02-17.02 - Rick 02/18/2012 19:35:26.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.335 [GMT -5:00]
Running from: c:\users\Rick\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SPL1035.tmp
c:\programdata\SPL14B.tmp
c:\programdata\SPL15E2.tmp
c:\programdata\SPL1837.tmp
c:\programdata\SPL1913.tmp
c:\programdata\SPL1C64.tmp
c:\programdata\SPL1F56.tmp
c:\programdata\SPL25A7.tmp
c:\programdata\SPL2897.tmp
c:\programdata\SPL2C77.tmp
c:\programdata\SPL2F0D.tmp
c:\programdata\SPL305F.tmp
c:\programdata\SPL313C.tmp
c:\programdata\SPL3909.tmp
c:\programdata\SPL3C1E.tmp
c:\programdata\SPL419D.tmp
c:\programdata\SPL47C4.tmp
c:\programdata\SPL4819.tmp
c:\programdata\SPL485B.tmp
c:\programdata\SPL4970.tmp
c:\programdata\SPL4BC0.tmp
c:\programdata\SPL4CF0.tmp
c:\programdata\SPL5186.tmp
c:\programdata\SPL545.tmp
c:\programdata\SPL6002.tmp
c:\programdata\SPL6037.tmp
c:\programdata\SPL6456.tmp
c:\programdata\SPL6E0F.tmp
c:\programdata\SPL758F.tmp
c:\programdata\SPL7A65.tmp
c:\programdata\SPL7C7D.tmp
c:\programdata\SPL7D11.tmp
c:\programdata\SPL8048.tmp
c:\programdata\SPL82.tmp
c:\programdata\SPL89A5.tmp
c:\programdata\SPL89D5.tmp
c:\programdata\SPL8A1B.tmp
c:\programdata\SPL8F7.tmp
c:\programdata\SPL901F.tmp
c:\programdata\SPL9B79.tmp
c:\programdata\SPL9F23.tmp
c:\programdata\SPL9FFF.tmp
c:\programdata\SPLA48C.tmp
c:\programdata\SPLBB63.tmp
c:\programdata\SPLC40A.tmp
c:\programdata\SPLD045.tmp
c:\programdata\SPLD210.tmp
c:\programdata\SPLDA9B.tmp
c:\programdata\SPLDDD2.tmp
c:\programdata\SPLDF04.tmp
c:\programdata\SPLE2D1.tmp
c:\programdata\SPLE4BD.tmp
c:\programdata\SPLEA21.tmp
c:\programdata\SPLEFD2.tmp
c:\programdata\SPLF9AF.tmp
c:\programdata\SPLFBD.tmp
c:\programdata\SPLFD0E.tmp
c:\programdata\SPLFE7C.tmp
.
Infected copy of c:\windows\system32\user32.dll was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!user32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Wyyo_Service
-------\Service_Wyyo Service
.
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-19 00:45 . 2012-02-19 00:45 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-02-19 00:45 . 2012-02-19 00:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-19 00:15 . 2012-02-19 00:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-19 00:06 . 2012-02-19 00:07 -------- d-----w- c:\program files\Common Files\Adobe
2012-02-18 00:15 . 2012-01-17 09:39 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{343F4818-6ECE-4802-AFCD-1A91670AEFBE}\mpengine.dll
2012-02-17 03:19 . 2012-02-17 03:19 -------- d-----w- c:\program files\TeamViewer
2012-02-14 01:36 . 2012-02-14 01:37 -------- d-----w- c:\program files\OpenOffice.org 3
2012-02-14 01:33 . 2011-11-10 10:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-12 16:31 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-12 16:31 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-12 16:31 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-12 16:31 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-12 16:31 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-12 16:31 . 2011-11-28 17:52 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-02-12 16:30 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-02-12 16:30 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-12 16:29 . 2012-02-12 16:29 -------- d-----w- c:\programdata\AVAST Software
2012-02-12 16:29 . 2012-02-12 16:29 -------- d-----w- c:\program files\AVAST Software
2012-02-12 00:41 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-02-12 00:41 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-12 00:41 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-02-12 00:41 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-02-12 00:41 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-02-12 00:41 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-02-12 00:41 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-02-12 00:41 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-02-12 00:41 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-02-12 00:40 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2012-02-12 00:40 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-02-12 00:40 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-02-12 00:40 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-02-12 00:39 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2012-02-12 00:39 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-02-12 00:39 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-02-12 00:39 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-12 00:39 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-02-12 00:39 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-02-12 00:39 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-12 00:39 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-02-12 00:39 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-02-12 00:38 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2012-02-12 00:37 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2012-02-12 00:37 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2012-02-12 00:37 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2012-02-12 00:37 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2012-02-12 00:36 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2012-02-10 20:23 . 2012-02-15 12:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-10 20:23 . 2012-02-14 13:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-07 21:06 . 2012-02-07 21:06 -------- d-----w- c:\programdata\AVG Security Toolbar
2012-02-07 20:59 . 2012-02-07 21:00 -------- d-----w- c:\users\Rick
2012-02-07 20:51 . 2012-02-07 20:51 336 ----a-w- c:\program files\temp995.bat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 10:10 . 2009-10-03 03:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-16 14:40 . 2012-02-17 12:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCXCATS]
2006-10-16 05:31 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\dlcxtime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:19 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 16:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-12-08 04:25 7766016 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-12-08 04:25 81920 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2006-12-08 04:25 90191 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:16 303104 ----a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2006-11-02 09:45 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 07:04]
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 07:04]
.
2011-01-05 c:\windows\Tasks\User_Feed_Synchronization-{1E45C606-1332-4C40-ACF6-62AAC9D70E87}.job
- c:\windows\system32\msfeedssync.exe [2008-09-18 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\sfbp2hre.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-LWS - c:\program files\Logitech\LWS\Webcam Software\LWS.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
MSConfigStartUp-SAClient - e:\bbclient\programs\QICSetup.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-{3F92ABBB-6BBF-11D5-B229-002078017FBF} - c:\program files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe
AddRemove-{E646DCF0-5A68-11D5-B229-002078017FBF} - c:\program files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-18 19:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcxcoms.exe
c:\program files\TeamViewer\Version7\TeamViewer_Service.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\TeamViewer\Version7\TeamViewer.exe
c:\program files\TeamViewer\Version7\tv_w32.exe
.
**************************************************************************
.
Completion time: 2012-02-18 19:56:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-19 00:55
.
Pre-Run: 99,521,642,496 bytes free
Post-Run: 99,295,682,560 bytes free
.
- - End Of File - - 6D1242B84AAF87DA6FA94FB0332468ED
There are no stupid questions, only stupid results from unasked questions.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 PM

Posted 19 February 2012 - 09:43 AM

It's looking good.

What issues remains?

#7 RangerRick

RangerRick
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 19 February 2012 - 11:56 AM

I misread the registry details from ComboFix and somehow thought that I still had some issues. Still somewhat slow, but is likely due to lack of memory, vista and settings which I will have to tweak with. Thanks again for all your help. Still the only site that I fully trust to help with my computer issues.
There are no stupid questions, only stupid results from unasked questions.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 PM

Posted 19 February 2012 - 02:23 PM

Have a look at these articles from Microsoft.

How to troubleshoot a problem by performing a clean boot in Windows Vista
http://support.microsoft.com/?kbid=929135&SD=tech
*/*

Optimize Windows Vista for better performance
http://windowshelp.microsoft.com/Windows/en-US/help/83EC0FFE-EE04-4D53-8B87-25D1F05C954E1033.mspx
*/*

Get maximum performance from Windows Vista
http://windowshelp.microsoft.com/windows/en-us/Help/596FB57F-CC9D-4AC5-A813-5C0830E9156A1033.mspx
*/*

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#9 RangerRick

RangerRick
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 20 February 2012 - 10:37 AM

I had most of those tips in play, but did see many more than I did not know about. Thanks again nasdaq.
There are no stupid questions, only stupid results from unasked questions.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 PM

Posted 26 February 2012 - 09:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users