Sign in to follow this  
dag_182

Slow Computer with pop-ups, automatic shutdowns

Recommended Posts

Here again with another problem...

Sometimes i get pop-ups when i have FireFox open, and there's a bunch of processes that don't seem very familiar on Task Manager.

When i run an Ad-Aware scan, I get an automatic shutdown message that says;

 

"This system is shutting down. Please save all

work in progress and log off. Any unsaved

changes will be lost. This shutdown was

initiated by NT AUTHORITY\SYSTEM

 

Time before shutdown: 00:00:00

 

Message

Windows must now restart because the

DCOM Server Process Launcher service

terminated unexpectedly"

 

And i stop it from shutting down with the "shutdown -a" command, but at the end of the Ad-Aware scan only Cookies come up.. and the next scan the same thing happens! And Avira antivirus doesn't seem to pick up anything either. Please help!

 

Here's the HijackThis log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 3:22:17 PM, on 2/14/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\CursorXP\CursorXP.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe

C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {3C5D284B-AA33-4A65-9DBE-03BA2DB972F7} - (no file)

O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6EC17EDB-400A-42BB-A634-901E3D05D8FD} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {80A1D712-350F-40D1-8A75-301189E271BA} - C:\WINDOWS\system32\iifcDTnK.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {D53E9B4D-0319-404C-8393-B6347A0D6186} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [TalkAndWrite] C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Owner\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: omolnp.dll nitebz.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: mlJBQJdc - mlJBQJdc.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

Share this post


Link to post
Share on other sites

Hi,

 

I notice from your log that there's more than 1 Antivirus installed. McAfee, Avira and Avast

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

 

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one. If I were you, I would certainly uninstall McAfee. Then you'll have to choose whether you want to keep Avast or Avira, so uninstall one of them as well.

Then reboot after uninstalling.

 

Then, I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").

Doubleclick ResetTeaTimer.bat and let it run.

This will only take a few seconds.

 

The same applies for Adaware Adwatch.

 

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Post the log from ComboFix in your next reply.

 

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Share this post


Link to post
Share on other sites

Orite, I uninstalled Avast and McAfee and kept Avira.

 

I disabled TeaTimer, but when I click on ResetTeaTimer.bat it says 404 Not Found... and when I right click it and click on "Save Link As.." nothing happens.. Doesn't work on Internet Explorer either..

Share this post


Link to post
Share on other sites

Hi,

 

Just proceed with the steps and make sure Teatimer is disabled

Share this post


Link to post
Share on other sites

"Owner" - 2009-02-15 23:51:29 Service Pack 2

ComboFix 07-05.25.3V - Running from: "C:\Documents and Settings\Owner\Desktop\some ######\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-16 ))))))))))))))))))))))))))))))))))

 

 

2009-02-13 14:13 24,576 --a------ C:\WINDOWS\system32\userinit.exe

2009-02-12 21:34 <DIR> d-------- C:\Program Files\Avira

2009-02-12 21:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira

2009-02-12 20:28 9,600 --a------ C:\WINDOWS\system32\drivers\nfr.sys

2009-02-12 00:25 15,688 --a------ C:\WINDOWS\system32\lsdelete.exe

2009-02-11 23:46 64,160 --a------ C:\WINDOWS\system32\drivers\Lbd.sys

2009-02-11 23:34 <DIR> d--h-c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-11 23:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2009-02-11 20:44 24,576 --a------ C:\WINDOWS\system32\stu2.exe

2009-02-11 20:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\VirusRemover2008

2009-02-11 20:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\cogad

2009-02-11 19:50 39,289 --ahs---- C:\WINDOWS\system32\KnTDcfii.ini2

2009-01-25 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MumboJumbo

2009-01-20 19:19 <DIR> d-------- C:\Program Files\Microsoft Silverlight

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2009-02-16 08:01:35 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\WTablet

2009-02-15 21:35:00 -------- d-----w C:\Program Files\McAfee

2009-02-12 07:33:50 -------- d-----w C:\Program Files\Lavasoft

2009-02-12 00:18:00 -------- d-----w C:\Program Files\Messenger Plus! Live

2009-01-07 08:30:04 328 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat

2009-01-07 07:54:36 -------- d-----w C:\Program Files\QuickTime

2009-01-07 07:53:10 -------- d-----w C:\Program Files\Common Files\Apple

2009-01-07 07:47:42 -------- d-----w C:\Program Files\Apple Software Update

2009-01-01 07:55:18 -------- d-----w C:\Program Files\NOS

2009-01-01 03:26:44 -------- d-----w C:\Program Files\Common Files\Adobe AIR

2008-12-19 03:54:10 410,976 ----a-w C:\WINDOWS\system32\deploytk.dll

2008-12-11 11:57:21 333,184 ----a-w C:\WINDOWS\system32\drivers\srv.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{3049C3E9-B461-4BC5-8870-4C09146192CA}=C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-06-15 09:42]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-18 19:54]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 00:30]

{DBC80044-A445-435b-BC74-9C25C1C588A9}=C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-18 19:54]

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}=C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-18 19:54]

{F8EB1DA5-7A4A-4275-A8D2-94EE674F3B10}=C:\WINDOWS\system32\iifcDTnK.dll [2009-02-11 19:50]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" []

"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-23 16:32]

"NDSTray.exe"="NDSTray.exe" []

"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 10:24]

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-05-19 07:57]

"AGRSMMSG"="AGRSMMSG.exe" []

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 10:02]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 09:59]

"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 10:03]

"TFncKy"="TFncKy.exe" []

"TPSMain"="TPSMain.exe" [2005-05-31 21:00 C:\WINDOWS\system32\TPSMain.exe]

"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 16:13]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 17:37]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-15 15:54]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 22:46]

"@"="" []

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 22:47]

"CFSServ.exe"="CFSServ.exe" []

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 16:41]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-21 22:29]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-15 09:41]

"TalkAndWrite"="C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" []

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 06:55]

"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 15:22]

"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-12-18 19:54]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 15:09]

"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-11 23:45]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 13:28]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32]

"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-11-04 05:29]

"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 07:34]

"cogad"="C:\Documents and Settings\Owner\Application Data\cogad\cogad.exe" []

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

C:\Program Files\Synaptics\rtene.html

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJBQJdc]

mlJBQJdc.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=omolnp.dll nitebz.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Lavasoft Ad-Aware Service]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nfrsvc NFRAgent

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea30d386-8548-11dd-a4c4-0013cee54459}]

AutoRun\command- explorer.exe "http://www.mystearnsandfoster.com"

 

 

Contents of the 'Scheduled Tasks' folder

2009-02-12 07:44:57 C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

2009-01-07 07:47:48 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2009-02-16 07:59:00 C:\WINDOWS\tasks\aszpbquq.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-16 00:01:39

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

disk error: C:\WINDOWS\

 

please note that you need administrator rights to perform deep scan

 

********************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\JavaQuickStarterService]

"ImagePath"="\"C:\Program Files\Java\jre6\bin\jqs.exe\" -service -config \"C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf\""

 

Completion time: 2009-02-16 0:05:00 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2009-02-16 00:04

C:\ComboFix2.txt ... 2007-05-26 01:28

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

Please disable your adwatch as well, because it may interfere...

 

Then,

 

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab

Select everything you find in there (except for "My current home page") and press the delete button on the right.

Hit ok below > apply in previous window.

 

Also, your version of Combofix is way outdated!! Please redownload it again!

Then, with the latest version (do not do this with the older version; or you'll have a lot of problems...)

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

C:\WINDOWS\tasks\aszpbquq.job

C:\WINDOWS\system32\iifcDTnK.dll

C:\WINDOWS\system32\KnTDcfii.ini2

C:\WINDOWS\system32\stu2.exe

Folder::

C:\DOCUME~1\Owner\APPLIC~1\VirusRemover2008

C:\DOCUME~1\Owner\APPLIC~1\cogad

Filelook::

C:\WINDOWS\system32\userinit.exe

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8EB1DA5-7A4A-4275-A8D2-94EE674F3B10}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"=-

"NDSTray.exe"=-

"AGRSMMSG"=-

"TFncKy"=-

"CFSServ.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cogad"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJBQJdc]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=""

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea30d386-8548-11dd-a4c4-0013cee54459}]

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

ComboFix 09-02-15.01 - Owner 2009-02-16 16:48:06.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.654 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

 

FILE ::

c:\windows\system32\iifcDTnK.dll

c:\windows\system32\KnTDcfii.ini2

c:\windows\system32\stu2.exe

c:\windows\tasks\aszpbquq.job

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\docume~1\Owner\APPLIC~1\cogad

c:\docume~1\Owner\APPLIC~1\VirusRemover2008

c:\docume~1\Owner\APPLIC~1\VirusRemover2008\Logs\scns.log

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\dllcache\http.sys

c:\windows\system32\dobe~1

c:\windows\system32\drivers\nfr.sys

c:\windows\system32\drivers\seneka.sys

c:\windows\system32\drivers\senekakmswvvsj.sys

c:\windows\system32\jsrtdvcp.ini

c:\windows\system32\KnTDcfii.ini

c:\windows\system32\KnTDcfii.ini2

c:\windows\system32\micro1

c:\windows\system32\senekabcvcvdan.dll

c:\windows\system32\senekagigalgnd.dll

c:\windows\system32\senekajnusiqlv.dll

c:\windows\system32\senekalxgcdwds.dat

c:\windows\system32\senekaxxjqlpiu.dat

c:\windows\system32\stu2.exe

c:\windows\system32\wfvlxjmw.ini

c:\windows\tasks\aszpbquq.job

 

----- BITS: Possible infected sites -----

 

hxxp://hqextra.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_SENEKA

-------\Legacy_NFR.SYS

-------\Service_nfr.sys

 

 

((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))

.

 

2009-02-14 19:42 . 2009-02-14 19:42 268 --ah----- C:\sqmdata13.sqm

2009-02-14 19:42 . 2009-02-14 19:42 244 --ah----- C:\sqmnoopt13.sqm

2009-02-13 14:13 . 2004-08-04 04:00 24,576 --a------ c:\windows\system32\userinit.exe

2009-02-13 14:13 . 2004-08-04 04:00 24,576 --a--c--- c:\windows\system32\dllcache\userinit.exe

2009-02-12 23:44 . 2009-02-12 23:44 0 --a------ c:\windows\system32\drivers\nfr.dll.gpref

2009-02-12 21:34 . 2009-02-12 21:34 <DIR> d-------- c:\program files\Avira

2009-02-12 21:34 . 2009-02-12 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-02-12 19:28 . 2009-02-12 19:28 0 --a------ c:\windows\system32\drivers\nfr.dll.assembly

2009-02-12 00:25 . 2009-02-11 23:46 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-02-11 23:46 . 2009-02-11 23:45 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-02-11 23:34 . 2009-02-11 23:34 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-11 23:33 . 2009-02-11 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-11 19:50 . 2009-02-16 16:53 1,104 --a------ c:\windows\efoguxwe

2009-01-31 20:58 . 2009-01-31 20:58 6,144 --ahs---- C:\Thumbs.db

2009-01-25 22:51 . 2009-01-25 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\MumboJumbo

2009-01-25 22:51 . 2009-01-25 22:51 22 --a------ c:\windows\msnmsgr.exe.ini

2009-01-20 21:16 . 2009-01-20 21:24 <DIR> d-------- c:\windows\system32\Adobe

2009-01-20 19:19 . 2009-01-20 19:19 <DIR> d-------- c:\program files\Microsoft Silverlight

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-17 00:55 --------- d-----w c:\documents and settings\Owner\Application Data\WTablet

2009-02-16 07:50 7,168 -csha-w c:\program files\Thumbs.db

2009-02-15 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com

2009-02-15 21:35 --------- d-----w c:\program files\McAfee

2009-02-15 11:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-02-12 07:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-12 07:49 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-12 07:33 --------- d-----w c:\program files\Lavasoft

2009-02-12 00:18 --------- d-----w c:\program files\Messenger Plus! Live

2009-01-07 08:30 328 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-01-07 07:54 --------- d-----w c:\program files\QuickTime

2009-01-07 07:53 --------- d-----w c:\program files\Common Files\Apple

2009-01-07 07:47 --------- d-----w c:\program files\Apple Software Update

2009-01-01 07:55 --------- d-----w c:\program files\NOS

2009-01-01 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\NOS

2009-01-01 03:26 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-12-19 03:54 --------- d-----w c:\program files\Java

2007-05-26 10:54 25,214 -c--a-w c:\program files\B.ico

2007-05-26 10:54 25,214 -c--a-w c:\program files\A.ico

2007-04-14 14:25 207 -c--a-w c:\documents and settings\Owner\9559.bat

2007-03-28 08:43 167 -c--a-w c:\documents and settings\Owner\7821.bat

2007-02-26 01:17 34,736 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2007-01-18 20:57 2,855 ----a-w c:\documents and settings\Owner\setup.PIF

2008-12-19 04:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 04:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 04:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 04:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 04:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

 

---- c:\windows\system32\userinit.exe ----

Company: Microsoft Corporation

File Description: Userinit Logon Application

File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

Product Name: Microsoftr Windowsr Operating System

Copyright: c Microsoft Corporation. All rights reserved.

Original file name: USERINIT.EXE

MD5: 39b1ffb03c2296323832acbae50d2aff

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2006-11-04 190024]

"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-23 352256]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-15 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 49152]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-21 67752]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-15 185896]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-11 509784]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

 

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-18 288472]

Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-11-29 329472]

Microsoft Office.lnk - c:\program files\Microsoft Office XP\Office10\OSA.EXE [2001-02-13 83360]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-04 155648]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2005-07-22 22:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-11 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]

S0 efoguxwe;efoguxwe;c:\windows\system32\drivers\ruowxunp.sys []

S2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2005-11-04 14336]

S3 bd3b6b7d-f87c-4e5a-9b88-ca31bec32a2d;bd3b6b7d-f87c-4e5a-9b88-ca31bec32a2d;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]

S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-10-10 33808]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nfrsvc REG_MULTI_SZ NFRAgent

.

Contents of the 'Scheduled Tasks' folder

 

2009-02-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-11 23:45]

 

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{3C5D284B-AA33-4A65-9DBE-03BA2DB972F7} - (no file)

BHO-{508F5ED7-4814-4029-A2BF-E2F3ECB2642B} - (no file)

BHO-{6EC17EDB-400A-42BB-A634-901E3D05D8FD} - (no file)

BHO-{831D6AB5-2634-46D5-877D-09F60465777F} - c:\windows\system32\iifcDTnK.dll

BHO-{D53E9B4D-0319-404C-8393-B6347A0D6186} - (no file)

HKLM-Run-TalkAndWrite - c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

SharedTaskScheduler-{64ba30a2-811a-4597-b0af-d551128be340} - (no file)

Notify-WgaLogon - (no file)

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

mStart Page = about:blank

uInternet Settings,ProxyServer = http=localhost:7070

IE: E&xport to Microsoft Excel - c:\progra~1\MI01DA~1\Office10\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j5ipsef1.default\

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j5ipsef1.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-16 16:57:22

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

c:\windows\system32\drivers\ruowxunp.sys 25088 bytes executable

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1501211371-2371496142-710079751-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

@SACL=

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(1060)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

 

- - - - - - - > 'lsass.exe'(1116)

c:\windows\system32\iifcDTnK.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\system32\PSIService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\windows\system32\Tablet.exe

c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

c:\windows\system32\WTablet\TabUserW.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\TPSBattM.exe

c:\program files\Synaptics\SynTP\Toshiba.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\HPZipm12.exe

.

**************************************************************************

.

Completion time: 2009-02-16 17:02:03 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-17 01:01:48

ComboFix2.txt 2009-02-16 08:05:00

 

Pre-Run: 89,549,107,200 bytes free

Post-Run: 89,465,577,472 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

259 --- E O F --- 2009-01-17 00:06:35

Share this post


Link to post
Share on other sites

Hi,

 

We'll have to give this another run for the other malware.

Your userinit.exe appears to have the correct MD5, however, I'm sure it was infected before and a scanner already disinfected it here, or.. something is really wrong here. I am saying this because I've seen the malware you are dealing with in a lot of cases with the Fileinfector Virut present as well. I really hope this is not the case here...

In anyway, we'll find out afterwards. Also, once we are done here, you'll have to update your Windows to SP3 anyway.

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

c:\windows\system32\iifcDTnK.dll

c:\windows\efoguxwe

c:\program files\B.ico

c:\program files\A.ico

c:\documents and settings\Owner\9559.bat

c:\documents and settings\Owner\7821.bat

c:\documents and settings\Owner\setup.PIF

Suspect::[8]

c:\windows\msnmsgr.exe.ini

Dirlook::

c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

Driver::

efoguxwe

DDS::

uInternet Settings,ProxyServer = http=localhost:7070

Rootkit::

c:\windows\system32\drivers\ruowxunp.sys

Reglock::

[HKEY_USERS\S-1-5-21-1501211371-2371496142-710079751-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

 

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

ComboFix 09-02-17.02 - Owner 2009-02-18 12:56:58.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.595 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

* Created a new restore point

 

FILE ::

c:\documents and settings\Owner\7821.bat

c:\documents and settings\Owner\9559.bat

c:\documents and settings\Owner\setup.PIF

c:\program files\A.ico

c:\program files\B.ico

c:\windows\efoguxwe

c:\windows\system32\iifcDTnK.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Owner\7821.bat

c:\documents and settings\Owner\9559.bat

c:\documents and settings\Owner\setup.PIF

c:\program files\A.ico

c:\program files\B.ico

c:\windows\efoguxwe

c:\windows\system32\drivers\ruowxunp.sys

c:\windows\system32\KnTDcfii.ini

c:\windows\system32\KnTDcfii.ini2

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_EFOGUXWE

-------\Service_efoguxwe

 

 

((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))

.

 

2009-02-14 19:42 . 2009-02-14 19:42 268 --ah----- C:\sqmdata13.sqm

2009-02-14 19:42 . 2009-02-14 19:42 244 --ah----- C:\sqmnoopt13.sqm

2009-02-13 14:13 . 2004-08-04 04:00 24,576 --a------ c:\windows\system32\userinit.exe

2009-02-13 14:13 . 2004-08-04 04:00 24,576 --a--c--- c:\windows\system32\dllcache\userinit.exe

2009-02-12 23:44 . 2009-02-12 23:44 0 --a------ c:\windows\system32\drivers\nfr.dll.gpref

2009-02-12 21:34 . 2009-02-12 21:34 <DIR> d-------- c:\program files\Avira

2009-02-12 21:34 . 2009-02-12 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-02-12 19:28 . 2009-02-12 19:28 0 --a------ c:\windows\system32\drivers\nfr.dll.assembly

2009-02-12 00:25 . 2009-02-11 23:46 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-02-11 23:46 . 2009-02-11 23:45 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-02-11 23:34 . 2009-02-11 23:34 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-11 23:33 . 2009-02-11 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-11 19:49 . 2009-02-11 19:50 304,128 --a------ c:\windows\system32\iifcDTnK.dll

2009-01-31 20:58 . 2009-01-31 20:58 6,144 --ahs---- C:\Thumbs.db

2009-01-25 22:51 . 2009-01-25 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\MumboJumbo

2009-01-25 22:51 . 2009-01-25 22:51 22 --a------ c:\windows\msnmsgr.exe.ini

2009-01-20 21:16 . 2009-01-20 21:24 <DIR> d-------- c:\windows\system32\Adobe

2009-01-20 19:19 . 2009-01-20 19:19 <DIR> d-------- c:\program files\Microsoft Silverlight

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-18 21:03 --------- d-----w c:\documents and settings\Owner\Application Data\WTablet

2009-02-16 07:50 7,168 -csha-w c:\program files\Thumbs.db

2009-02-15 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com

2009-02-15 21:35 --------- d-----w c:\program files\McAfee

2009-02-15 11:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-02-12 07:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-12 07:49 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-12 07:33 --------- d-----w c:\program files\Lavasoft

2009-02-12 00:18 --------- d-----w c:\program files\Messenger Plus! Live

2009-01-07 08:30 328 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-01-07 07:54 --------- d-----w c:\program files\QuickTime

2009-01-07 07:53 --------- d-----w c:\program files\Common Files\Apple

2009-01-07 07:47 --------- d-----w c:\program files\Apple Software Update

2009-01-01 07:55 --------- d-----w c:\program files\NOS

2009-01-01 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\NOS

2009-01-01 03:26 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-12-19 03:54 --------- d-----w c:\program files\Java

2007-02-26 01:17 34,736 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2008-12-19 04:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 04:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 04:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 04:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 04:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

---- Directory of c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} ----

 

2009-02-11 23:43 496 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.dat

2009-02-11 23:34 9020 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.par

2009-02-11 23:34 90 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\instance.dat

2009-02-11 23:34 9 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.lan

2009-01-18 13:43 578782 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\mia.lib

2009-01-18 13:43 569856 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.msi

2009-01-18 13:43 5113482 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.res

2009-01-18 13:43 2892112 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe

 

 

((((((((((((((((((((((((((((( [email protected]_16.59.58.98 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-18 21:03:18 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_3c8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40559A5B-A87C-4F2E-93AC-D1B9E7846C9F}]

2009-02-11 19:50 304128 --a------ c:\windows\system32\iifcDTnK.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2006-11-04 190024]

"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-23 352256]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-15 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 49152]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-21 67752]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-15 185896]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-11 509784]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

 

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-18 288472]

Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-11-29 329472]

Microsoft Office.lnk - c:\program files\Microsoft Office XP\Office10\OSA.EXE [2001-02-13 83360]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-04 155648]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2005-07-22 22:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-11 64160]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]

S2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2005-11-04 14336]

S3 bd3b6b7d-f87c-4e5a-9b88-ca31bec32a2d;bd3b6b7d-f87c-4e5a-9b88-ca31bec32a2d;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]

S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-10-10 33808]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nfrsvc REG_MULTI_SZ NFRAgent

.

Contents of the 'Scheduled Tasks' folder

 

2009-02-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-11 23:45]

 

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

mStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MI01DA~1\Office10\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j5ipsef1.default\

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j5ipsef1.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-18 13:04:55

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(1008)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\system32\PSIService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\windows\system32\Tablet.exe

c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\windows\system32\WTablet\TabUserW.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\TPSBattM.exe

c:\program files\Synaptics\SynTP\Toshiba.exe

c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\msiexec.exe

c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

.

**************************************************************************

.

Completion time: 2009-02-18 13:11:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-18 21:10:10

ComboFix2.txt 2009-02-17 01:02:07

ComboFix3.txt 2009-02-16 08:05:00

 

Pre-Run: 89,413,390,336 bytes free

Post-Run: 89,346,408,448 bytes free

 

224 --- E O F --- 2009-02-18 21:10:46

Share this post


Link to post
Share on other sites

Hi,

 

Let's give this one more try....

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

c:\windows\system32\iifcDTnK.dll

c:\windows\system32\drivers\nfr.dll.gpref

c:\windows\system32\drivers\nfr.dll.assembly

Driver::

NFRAgent

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

"nfrsvc"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40559A5B-A87C-4F2E-93AC-D1B9E7846C9F}]

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

Is it really bad...?

------------

 

 

ComboFix 09-02-17.02 - Owner 2009-02-18 17:19:17.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.505 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

 

FILE ::

c:\windows\system32\drivers\nfr.dll.assembly

c:\windows\system32\drivers\nfr.dll.gpref

c:\windows\system32\iifcDTnK.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\drivers\nfr.dll.assembly

c:\windows\system32\drivers\nfr.dll.gpref

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NFRAGENT

-------\Service_NFRAgent

 

 

((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))

.

 

2009-02-14 19:42 . 2009-02-14 19:42 268 --ah----- C:\sqmdata13.sqm

2009-02-14 19:42 . 2009-02-14 19:42 244 --ah----- C:\sqmnoopt13.sqm

2009-02-13 14:13 . 2004-08-04 04:00 24,576 --a------ c:\windows\system32\userinit.exe

2009-02-13 14:13 . 2004-08-04 04:00 24,576 --a--c--- c:\windows\system32\dllcache\userinit.exe

2009-02-12 21:34 . 2009-02-12 21:34 <DIR> d-------- c:\program files\Avira

2009-02-12 21:34 . 2009-02-12 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-02-12 00:25 . 2009-02-11 23:46 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-02-11 23:46 . 2009-02-11 23:45 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-02-11 23:34 . 2009-02-11 23:34 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-11 23:33 . 2009-02-11 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-31 20:58 . 2009-01-31 20:58 6,144 --ahs---- C:\Thumbs.db

2009-01-25 22:51 . 2009-01-25 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\MumboJumbo

2009-01-25 22:51 . 2009-01-25 22:51 22 --a------ c:\windows\msnmsgr.exe.ini

2009-01-20 21:16 . 2009-01-20 21:24 <DIR> d-------- c:\windows\system32\Adobe

2009-01-20 19:19 . 2009-01-20 19:19 <DIR> d-------- c:\program files\Microsoft Silverlight

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-19 01:23 --------- d-----w c:\documents and settings\Owner\Application Data\WTablet

2009-02-16 07:50 7,168 -csha-w c:\program files\Thumbs.db

2009-02-15 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com

2009-02-15 21:35 --------- d-----w c:\program files\McAfee

2009-02-15 11:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-02-12 07:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-12 07:49 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-12 07:33 --------- d-----w c:\program files\Lavasoft

2009-02-12 00:18 --------- d-----w c:\program files\Messenger Plus! Live

2009-01-07 08:30 328 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-01-07 07:54 --------- d-----w c:\program files\QuickTime

2009-01-07 07:53 --------- d-----w c:\program files\Common Files\Apple

2009-01-07 07:47 --------- d-----w c:\program files\Apple Software Update

2009-01-01 07:55 --------- d-----w c:\program files\NOS

2009-01-01 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\NOS

2009-01-01 03:26 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-12-19 03:54 --------- d-----w c:\program files\Java

2007-02-26 01:17 34,736 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2008-12-19 04:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 04:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 04:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 04:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 04:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

 

((((((((((((((((((((((((((((( [email protected]_16.59.58.98 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-17 00:06:20 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-02-18 21:10:42 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2009-01-17 00:06:19 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-02-18 21:10:41 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-01-17 00:06:20 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2009-02-18 21:10:42 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2009-01-17 00:06:20 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2009-02-18 21:10:42 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2009-01-17 00:06:20 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-02-18 21:10:42 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2009-01-17 00:06:21 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2009-02-18 21:10:42 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2009-01-17 00:06:19 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2009-02-18 21:10:41 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2009-01-17 00:06:21 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2009-02-18 21:10:42 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2009-01-17 00:06:19 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2009-02-18 21:10:41 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2009-01-17 00:06:19 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-02-18 21:10:41 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll

+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll

+ 2009-02-19 01:23:38 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_4e4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2006-11-04 190024]

"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-23 352256]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-15 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 49152]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-21 67752]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-15 185896]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-11 509784]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"TalkAndWrite"="c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [bU]

"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

 

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-18 288472]

Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-11-29 329472]

Microsoft Office.lnk - c:\program files\Microsoft Office XP\Office10\OSA.EXE [2001-02-13 83360]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-04 155648]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2005-07-22 22:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[bU]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-11 64160]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]

S3 bd3b6b7d-f87c-4e5a-9b88-ca31bec32a2d;bd3b6b7d-f87c-4e5a-9b88-ca31bec32a2d;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]

S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-10-10 33808]

.

Contents of the 'Scheduled Tasks' folder

 

2009-02-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-11 23:45]

 

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{3C5D284B-AA33-4A65-9DBE-03BA2DB972F7} - (no file)

BHO-{508F5ED7-4814-4029-A2BF-E2F3ECB2642B} - (no file)

BHO-{6EBED6C9-9B4D-4792-9D22-F00E847C7467} - (no file)

BHO-{6EC17EDB-400A-42BB-A634-901E3D05D8FD} - (no file)

BHO-{D53E9B4D-0319-404C-8393-B6347A0D6186} - (no file)

HKCU-Run-cogad - c:\documents and settings\Owner\Application Data\cogad\cogad.exe

Notify-mlJBQJdc - (no file)

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

mStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MI01DA~1\Office10\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j5ipsef1.default\

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j5ipsef1.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-18 17:23:53

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(1008)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\system32\PSIService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\windows\system32\Tablet.exe

c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

c:\windows\system32\WTablet\TabUserW.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\TPSBattM.exe

c:\program files\Synaptics\SynTP\Toshiba.exe

c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-02-18 17:28:28 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-19 01:28:17

ComboFix2.txt 2009-02-18 21:11:15

ComboFix3.txt 2009-02-17 01:02:07

ComboFix4.txt 2009-02-16 08:05:00

 

Pre-Run: 89,311,272,960 bytes free

Post-Run: 89,295,372,288 bytes free

 

227 --- E O F --- 2009-02-18 21:10:46

Share this post


Link to post
Share on other sites

Hi,

 

This looks OK again.

 

* Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites

Everything seems to be good now, thanks!

 

Although FireFox has been freezing a lot since the last scan, though i don't know if it has to do with this or not..

Share this post


Link to post
Share on other sites

If it's only Firefox, just uninstall and reinstall it again. If still the same, then "clean" install Firefox.

Read here how to do this: http://kb.mozillazine.org/Uninstalling_Firefox

 

* Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Also,

 

Please read my Prevention page with lots of info and tips how to prevent this in the future. Make sure you update your Windows!

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this