Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware causing restart issues and other problems


  • Please log in to reply
11 replies to this topic

#1 seplo

seplo

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 25 October 2012 - 06:25 PM

A problem is occurring with my notebook computer. Every restart now has the screen resolution starting by spanning outside the screen. The screen scrolls to get from 1 side to another. Altering the resolution no longer stays at the setting entered. Also, something is triggering an SVCHOST process that runs at very high cpu without starting anything.

Below are the logs listed in the prep document

Thanks in advance for any help you can provide

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Becky at 16:43:46 on 2012-10-25
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.338 [GMT -4:00]
.
AV: Total Defense Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: Total Defense Personal Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\CapsLKNotify\CapsLKNotify.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.live.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Total Defense Anti-Phishing Toolbar Helper: {45011CF5-E4A9-4F13-9093-F30A784EB9B2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - <orphaned>
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Total Defense Anti-Phishing Toolbar: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Total Defense Anti-Phishing Toolbar: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\displa~1.lnk - c:\program files\12noon display changer\dc.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\VetRedir.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1346367522937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} - hxxps://mydesk-hq01.morganstanley.com/prx/000/http/rc.ms.com:8180/md/1.2/common/htdocs/SPX/2.3.0.10/TerminalSvcsTCS.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=928
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{91FB19ED-B3C0-4C90-85EB-BC86A4F35020} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: LMIinit - LMIinit.dll
Notify: PFW - <no file>
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\becky\application data\mozilla\firefox\profiles\bfdluqbw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:\documents and settings\becky\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 21:25; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - b85c11ec00000000000000265e1b216f
FF - user.js: extensions.BabylonToolbar.instlDay - 15548
FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1
FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.118:08:14
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=3012_7
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-8-19 14248]
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2011-10-27 170064]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2011-9-6 123984]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-10-26 83536]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2011-9-6 63056]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2011-4-24 116304]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-11-28 210248]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-11-28 224304]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-11-28 207952]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2011-9-6 150608]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2011-9-6 81488]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-3-8 12184]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-8-11 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-8-28 47640]
R2 UmxEngine;TM Engine;c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [2011-4-4 662096]
R2 WinExtManager;WinSock Extention Manager;c:\windows\system32\mdmcls32.exe [2010-11-28 3207184]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-9-6 331344]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-8-19 135168]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-19 162816]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-10 250808]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-19 1684736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-19 143840]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-4 115168]
S3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-8-19 133632]
S3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-8-19 272032]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-10-12 15:59:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-12 15:59:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-06 17:53:49 -------- d-----w- c:\documents and settings\becky\local settings\application data\Sun
2012-10-05 00:36:14 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-05 00:36:14 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-05 00:35:34 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-05 00:19:47 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-02 18:09:56 -------- d-----w- c:\program files\12noon Display Changer
.
==================== Find3M ====================
.
2012-10-12 20:16:58 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-12 20:16:58 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-05 00:35:01 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 18:42:25 1744912 ----a-w- c:\windows\system32\winsflt.dll
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:52:42 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 13:05:53 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 16:46:22.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 26 October 2012 - 09:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

The following resolusion changer starts every time you start you computer.
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\displa~1.lnk - c:\program files\12noon display changer\dc.exe
Did you installed this program recently?
It is the cause of you current problem?
Source: http://12noon.com/?page_id=80
===

The Hosts file was altered, so please for your added security install this one.

Download HostsXpert

Tutorial, go here:
http://i28.photobucket.com/albums/c227/tetonbob/emoticons/HostsXpert4.jpg
  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.
*/*
I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

All you need to know about the hosts file.
http://www.mvps.org/winhelp2002/hosts.htm
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#3 seplo

seplo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 26 October 2012 - 02:37 PM

Hi Nasdaq,

I installed the resolution changer to deal with the problem at start up. Kind of a patch.

I executed all of the suggested steps and the logs are below.

As to the problem, there is no change that I can see

Combofix made me uninstall my anti-virus program (CA) so I am currently without one

Seplo


Combofix

ComboFix 12-10-26.05 - Becky 10/26/2012 14:51:31.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.591 [GMT -4:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\06004c97-c212-44da-81de-706b46554efe.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\0d03215e-4c16-4ea7-b7d7-805a2556effc.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\44ddba62-3b58-480f-a775-ae7e9dd9d5df.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\684a43a7-04d5-4797-bc20-4db8a316286c.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\c882e61c-ecc2-4db0-9a28-7cbe8bd4876b.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-26 to 2012-10-26 )))))))))))))))))))))))))))))))
.
.
2012-10-12 15:59 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-12 15:59 . 2012-10-12 15:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-06 17:53 . 2012-10-06 17:53 -------- d-----w- c:\documents and settings\Becky\Local Settings\Application Data\Sun
2012-10-05 00:42 . 2012-10-05 00:42 -------- d-----w- c:\program files\Common Files\Adobe
2012-10-05 00:36 . 2012-10-05 00:36 -------- d-----w- c:\program files\Common Files\Java
2012-10-05 00:36 . 2012-10-05 00:35 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-05 00:36 . 2012-10-05 00:35 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-05 00:35 . 2012-10-05 00:35 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-05 00:19 . 2012-10-25 20:30 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-02 18:09 . 2012-10-02 18:09 -------- d-----w- c:\program files\12noon Display Changer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-12 20:16 . 2012-06-10 15:09 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-12 20:16 . 2011-06-19 16:43 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-05 00:35 . 2009-08-19 23:16 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-28 15:14 . 2008-04-25 20:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2008-04-25 20:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2008-04-25 20:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2008-04-25 20:33 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2008-04-25 20:33 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:52 . 2008-04-25 20:33 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 13:05 . 2008-04-14 00:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-21 15:36 . 2012-10-21 15:36 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-03-31 251176]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\documents and settings\Seplo\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Display Changer 1024x600.lnk - c:\program files\12noon Display Changer\dc.exe [2011-12-27 146432]
Windows Search.lnk.disabled [2009-8-19 1789]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-07-13 00:49 87456 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OA012Mon"=c:\windows\OA012Mon.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"<NO NAME>"=
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
"Persistence"=c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [8/19/2009 7:18 PM 14248]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [3/8/2011 9:48 PM 12184]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [8/11/2011 8:19 PM 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [8/19/2009 9:57 PM 135168]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/19/2009 9:56 PM 162816]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/10/2012 11:09 AM 250808]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/19/2009 9:56 PM 1684736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/19/2009 7:26 PM 143840]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [10/4/2012 8:19 PM 115168]
S3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [8/19/2009 9:57 PM 133632]
S3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [8/19/2009 9:57 PM 272032]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/28/2009 7:11 PM 721904]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 20:17]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4104728692-2287296862-442821908-1006Core.job
- c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-16 00:43]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4104728692-2287296862-442821908-1006UA.job
- c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-16 00:43]
.
2012-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4104728692-2287296862-442821908-1007Core.job
- c:\documents and settings\Seplo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 02:03]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4104728692-2287296862-442821908-1007UA.job
- c:\documents and settings\Seplo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 02:03]
.
2012-08-23 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-08-23 05:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\bfdluqbw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - ExtSQL: !HIDDEN! 2009-09-02 21:25; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - b85c11ec00000000000000265e1b216f
FF - user.js: extensions.BabylonToolbar.instlDay - 15548
FF - user.js: extensions.BabylonToolbar.vrsn - 1.5.29.1
FF - user.js: extensions.BabylonToolbar.vrsni - 1.5.29.1
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.29.118:08
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=3012_7
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-AVGIDS - c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
Notify-PFW - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-26 15:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-10-26 15:03:48
ComboFix-quarantined-files.txt 2012-10-26 19:03
.
Pre-Run: 88,855,736,320 bytes free
Post-Run: 90,724,384,768 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A8D104689B864D5925435787A4438B21



Security Check

Results of screen317's Security Check version 0.99.53
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Identity Protection
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.0.1400
Java™ 6 Update 17
Java 7 Update 7
Java version out of Date!
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



AdwCleaner

# AdwCleaner v2.005 - Logfile created 10/26/2012 at 15:16:18
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Becky - BECKYS_PC
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Becky\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Found : C:\Documents and Settings\Becky\Local Settings\Application Data\Wajam
Folder Found : C:\Program Files\DAEMON Tools Toolbar

***** [Registry] *****

Key Found : HKCU\Software\Headlight
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Found : HKCU\Software\Wajam
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Found : HKLM\SOFTWARE\Classes\b
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3192AA38321C641458DBDAF83979D193
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Found : HKU\S-1-5-21-4104728692-2287296862-442821908-1006\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?affID=109935&tt=3012_7&babsrc=NT_ss&mntrId=b85c11ec00000000000000265e1b216f

-\\ Mozilla Firefox v16.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\bfdluqbw.default\prefs.js

Found : user_pref("extensions.BabylonToolbar.admin", false);
Found : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Found : user_pref("extensions.BabylonToolbar.autoRvrt", "false");
Found : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Found : user_pref("extensions.BabylonToolbar.excTlbr", false);
Found : user_pref("extensions.BabylonToolbar.id", "b85c11ec00000000000000265e1b216f");
Found : user_pref("extensions.BabylonToolbar.instlDay", "15548");
Found : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Found : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Found : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Found : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");
Found : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://www.google.com/search?babsrc=TB_ggl&q=");
Found : user_pref("extensions.BabylonToolbar.vrsn", "1.5.29.1");
Found : user_pref("extensions.BabylonToolbar.vrsni", "1.5.29.1");
Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=109935&tt=3012_7");
Found : user_pref("extensions.BabylonToolbar_i.newTab", false);
Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.29.118:08:14");

Profile name : default
File : C:\Documents and Settings\Seplo\Application Data\Mozilla\Firefox\Profiles\hvkglhaf.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v22.0.1229.94

File : C:\Documents and Settings\Becky\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Found [l.12] : homepage = "hxxp://search.babylon.com/?affID=109935&tt=3012_7&babsrc=HP_ss&mntrId=b85c11ec00000000000000265e1b216f",
Found [l.1430] : homepage = "hxxp://search.babylon.com/?affID=109935&tt=3012_7&babsrc=HP_ss&mntrId=b85c11ec00000000000000265e1b216f",

File : C:\Documents and Settings\Seplo\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5304 octets] - [26/10/2012 15:16:18]

########## EOF - C:\AdwCleaner[R1].txt - [5364 octets] ##########

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 27 October 2012 - 08:59 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 17
Java 7 Update 7


===

Defrag you hard disk when you have some free time, it may take awhile.

===

Re install your security software.

====

On your screen resolution.
You may have seen these fixes i'm submitting them just in case it can help.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/display_change_screen_resolution.mspx?mfr=true
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/display_multi_monitors_screen_resolution.mspx?mfr=true

Try the suggested fix.

Keep me posted.

#5 seplo

seplo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 27 October 2012 - 12:52 PM

Hi Nasdaq,

I followed the suggested steps including defrag and there is no appreciable improvement in performance. As to the resolution issue, the steps suggested have no affect on retaining settings on restart.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 27 October 2012 - 01:34 PM

Presently I'm using Windows 7 but I still have an XP box that I can refer to.

What action do you take to reset your graphic resolution.
Do you make sure that you hit the apply button when you change it?

#7 seplo

seplo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 27 October 2012 - 03:17 PM

Is insulting me the best you can do?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 28 October 2012 - 07:06 AM

I'm asking a question, period.

#9 seplo

seplo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 28 October 2012 - 09:42 AM

The resolution is changed by right clicking the desktop to show the display menu... then sliding the setting the correct resolution and clicking apply.

12noon was installed to automate the process as the resolution always returns to spanning outside the screen on restart.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 28 October 2012 - 01:05 PM

If I right click on my control panel I also have 2 other options.

1 - Graphic Option > Graphic properties
Do you have that option and did you try to change the screen area?

The other is for Colors so may not be relevant.

===
Quoted from your fist post.
Also, something is triggering an SVCHOST process that runs at very high cpu without starting anything.

Download this Process Explorer tool.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
RUN IT AND TRY to find the Process / file that is draining your CPU.
Instructions on the help file.
Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 processors, and Windows Vista.

Try to find out what process is taking that much CPU.

#11 seplo

seplo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 31 October 2012 - 06:31 PM

We're dealing with the aftermath of hurricane sandy ... I will get back to this as soon as I can.

TY

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 06 November 2012 - 09:01 AM

I'm still around.

When ready please lets continue.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users