Spyware.Possible_Website_Hijack

[jeff1955]

Hi Dakeyras,

My computer has slowed down quite a lot over today (Monday) and not just for the first few minutes after bootup - it remains slow all the time. It is taking me a while to type this as inbetween pressing a key and the character appearing onscreen there is a definite lag of maybe half a second.

I now have 2 Internet Explorer icons on my desktop.

My Outlook Express e-mail has lost all of the mail accounts I had set up.

Otherwise things are fine

I made sure Spyware Doctor and Comodo were both switched off this time. I successfully installed the windows Recovery Console and then scan - logs, as requested, below;

Combofix log

ComboFix 09-06-15.01 - J Simpson 15/06/2009 20:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.717 [GMT 1:00]
Running from: c:\documents and settings\J Simpson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\J Simpson\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-14 08:08 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-14 08:07 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-14 08:07 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-14 08:07 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-14 08:07 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-14 08:07 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-14 08:07 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-14 08:07 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-14 08:07 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-14 08:07 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-14 05:51 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-14 05:51 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-13 20:26 . 2009-06-13 20:26 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Malwarebytes
2009-06-13 20:25 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 20:25 . 2009-06-13 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 20:25 . 2009-06-13 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 20:25 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 12:28 . 2009-06-14 05:21 -------- d-----w- C:\rsit
2009-06-13 12:24 . 2009-06-13 12:27 -------- d-----w- C:\Rooter$
2009-06-11 07:38 . 2009-06-11 07:38 -------- d-----w- c:\program files\Trend Micro
2009-06-11 07:32 . 2009-06-11 07:33 -------- d-----w- c:\program files\ERUNT
2009-06-10 14:29 . 2009-03-31 10:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-10 14:24 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-10 14:24 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-10 14:24 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-10 14:23 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-09 19:20 . 2009-06-09 19:20 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-09 19:20 . 2009-06-11 20:21 -------- d-----w- c:\documents and settings\J Simpson\Application Data\skypePM
2009-06-09 19:19 . 2009-06-11 20:22 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----w- c:\program files\Common Files\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----r- c:\program files\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-31 10:17 . 2009-05-31 10:17 -------- d-----w- c:\documents and settings\J Simpson\Local Settings\Application Data\Help
2009-05-31 09:37 . 2009-05-31 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-05-31 09:37 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-31 09:37 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-31 09:32 . 2009-05-31 09:39 -------- d-----w- c:\program files\Common Files\scansoft shared
2009-05-31 09:32 . 2009-05-31 09:32 -------- d-----w- c:\program files\Scansoft
2009-05-31 09:25 . 2009-05-31 09:31 270336 ----a-w- c:\windows\IHelper.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 19:21 . 2009-02-02 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-15 19:21 . 2009-02-02 19:15 -------- d-----w- c:\program files\Spyware Doctor
2009-06-11 00:25 . 2009-02-02 16:39 110760 ----a-w- c:\documents and settings\J Simpson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 14:32 . 2009-02-02 19:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-09 19:45 . 2009-02-03 06:33 -------- d-----w- c:\program files\World of Warcraft
2009-05-31 10:13 . 2009-02-11 15:05 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Serif
2009-05-31 10:12 . 2009-02-11 14:40 -------- d-----w- c:\program files\Serif
2009-05-31 09:39 . 2009-05-31 09:39 -------- d-----w- c:\program files\TextBridge Pro 9.0
2009-05-31 09:37 . 2009-05-31 09:36 -------- d-----w- c:\program files\Xerox One Touch
2009-05-31 09:31 . 2009-02-02 11:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 05:50 . 2009-02-19 16:09 -------- d-----w- c:\program files\dwyco2
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-01 07:21 . 2009-04-01 07:21 152576 ----a-w- c:\documents and settings\J Simpson\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-01 07:04 . 2009-04-01 07:04 1409 -c--a-w- c:\windows\Fonts\SToccata.fot
2009-04-01 07:04 . 2009-04-01 07:04 4874056 ----a-w- c:\documents and settings\J Simpson\Application Data\ACAMPREF\Myriad\Updates\Install.exe
2009-03-19 14:19 . 2009-03-19 14:19 80400 -c--a-w- c:\windows\system32\drivers\inspect.sys
2009-03-19 14:19 . 2009-03-19 14:19 24336 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 14:19 . 2009-03-19 14:19 155384 ----a-w- c:\windows\system32\guard32.dll
2009-03-19 14:19 . 2009-03-19 14:19 110992 ----a-w- c:\windows\system32\drivers\cmdguard.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-15_05.07.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 19:11 . 2009-06-15 19:11 16384 c:\windows\Temp\Perflib_Perfdata_278.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-19 1851128]

c:\documents and settings\J Simpson\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"=
"c:\\Program Files\\dwyco2\\cdc32.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/06/2009 15:24 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [10/06/2009 15:29 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [10/06/2009 15:29 39200]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [19/03/2009 15:19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [19/03/2009 15:19 24336]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [10/06/2009 15:24 159600]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [10/06/2009 15:29 33056]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/02/2009 16:19 33752]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [10/06/2009 15:23 64392]
S3 phil2vid;Philips USB VGA Camera;c:\windows\system32\drivers\philcam2.sys [19/02/2009 16:59 173696]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [02/02/2009 20:15 348752]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;2
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 20:30
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\guard32.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-15 20:31
ComboFix-quarantined-files.txt 2009-06-15 19:31
ComboFix2.txt 2009-06-15 05:09

Pre-Run: 117,126,840,320 bytes free
Post-Run: 117,116,260,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

170 --- E O F --- 2009-06-14 20:51


HiJackThis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:02, on 15/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 4962 bytes

Hope this is what you need ....

Jeff

[Dakeyras]

Hi

My computer has slowed down quite a lot over today (Monday) and not just for the first few minutes after bootup - it remains slow all the time. It is taking me a while to type this as inbetween pressing a key and the character appearing onscreen there is a definite lag of maybe half a second.

No problem lets see what we can do to address this. Might still be malware related but having ERUNT set to create a new backup with every system reboot is not necessary. Once per week manually is sufficient, we can address that in due course.

I now have 2 Internet Explorer icons on my desktop.

Merely delete one and empty the Recycle Bin.

My Outlook Express e-mail has lost all of the mail accounts I had set up.

Strange, not quite sure why this has occurred. Try launching OE again and see if the headers are re-downloaded.

Upload a Suspicious File:

There is a file I would like to be checked, please carry out the following:

Note: Internet Explorer is the browser to use for best results.

• Please go to VirSCAN.org free on-line scan service.
• Copy and paste the following file path into the "Suspicious files to scan" box at the top of the page:
  
  c:\windows\IHelper.exe
  
  
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply. (Ctrl & V)

F-Secure Blacklight:

Please download Blacklight from here to your desktop.

or

Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:

"%userprofile%\desktop\fsbl.exe" /expert

Accept the license agreement.
Click > scan, wait for it to finish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.

Check Hard Disk For Errors:

Press Start->Run, then copy/paste the following command into the box and press OK:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"

A blank command window will open on your desktop, then close in a few minutes. This is normal.
A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

When completed the above, please post back the following:

• How is you computer performing now? Any problems encountered and or any further symptoms?
• Virscan results.
• Blacklight Log.
• checkhd.txt.
• A new HijackThis Log.

[jeff1955]

Hi

The problem with losing my mail accounts in OE seems to be linked to using CombiFix. I reset all my accounts and OE was working fine, then I used Combifix for yesterday's report and the accounts had disappeared again - I have checked periodically today after using different pieces of software (NOT Combifix) and the accounts are all still intact.

The computer was running fine - nice and quick and smooth - until I logged in here and started this reply - and then things began to crawl again.

Anyways - here are the Links/Logs you needed;

Virscan;

VirSCAN.org Scanned Report :
Scanned time : 2009/06/16 12:38:50 (BST)
Scanner results: 3% Scanner(1/38) found malware!
File Name : IHelper.exe
File Size : 270336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 01d7899bef54c4c6c5b1f83130a45675
SHA1 : 17dc9c6acd0926c179ae1c1ea4ec6fa61d349349
Online report : http://virscan.org/report/bacd29e807...1e69db4d8.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090614213204 2009-06-14 2.64 -
AhnLab V3 2009.06.16.03 2009.06.16 2009-06-16 0.77 -
AntiVir 8.2.0.187 7.1.4.98 2009-06-16 0.43 -
Antiy 2.0.18 20090616.2549523 2009-06-16 0.12 -
Arcavir 2009 200906160932 2009-06-16 0.07 -
Authentium 5.1.1 200906151603 2009-06-15 1.80 -
AVAST! 4.7.4 090615-0 2009-06-15 0.02 -
AVG 8.5.286 270.12.73/2180 2009-06-16 3.36 -
BitDefender 7.81008.3349029 7.26014 2009-06-16 3.02 -
CA (VET) 9.0.0.143 31.6.6560 2009-06-16 4.75 -
ClamAV 0.95.1 9469 2009-06-16 0.06 -
Comodo 3.9 1341 2009-06-16 0.72 -
CP Secure 1.1.0.715 2009.06.16 2009-06-16 10.13 -
Dr.Web 4.44.0.9170 2009.06.16 2009-06-16 4.82 -
F-Prot 4.4.4.56 20090615 2009-06-15 1.75 -
F-Secure 5.51.6100 2009.06.16.04 2009-06-16 0.10 -
Fortinet 2.81-3.117 10.502 2009-06-16 0.26 -
GData 19.5856/19.365 20090616 2009-06-16 4.98 -
ViRobot 20090616 2009.06.16 2009-06-16 0.49 -
Ikarus T3.1.01.59 2009.06.15.72872 2009-06-15 3.38 -
JiangMin 11.0.706 2009.06.16 2009-06-16 2.00 -
Kaspersky 5.5.10 2009.06.16 2009-06-16 0.08 -
KingSoft 2009.2.5.15 2009.6.16.18 2009-06-16 0.50 -
McAfee 5.3.00 5647 2009-06-15 3.08 -
Microsoft 1.4701 2009.06.16 2009-06-16 4.35 -
mks_vir 2.01 2009.06.15 2009-06-15 3.23 -
Norman 6.01.09 6.01.00 2009-06-16 4.01 -
Panda 9.05.01 2009.06.15 2009-06-15 1.69 -
Trend Micro 8.700-1004 6.196.03 2009-06-16 0.04 -
Quick Heal 10.00 2009.06.16 2009-06-16 1.26 -
Rising 20.0 21.34.13.00 2009-06-16 0.85 -
Sophos 2.87.1 4.42 2009-06-16 2.50 -
Sunbelt 5191 5191 2009-06-15 1.14 -
Symantec 1.3.0.24 20090615.003 2009-06-15 0.05 -
nProtect 20090616.03 4261430 2009-06-16 5.51 -
The Hacker 6.3.4.3 v00345 2009-06-15 0.71 -
VBA32 3.12.10.7 20090615.1405 2009-06-15 2.08 Win32 Shadow AutoStart Install (suspicious)
VirusBuster 4.5.11.10 10.107.14/1629766 2009-06-15 2.19 -

Blacklight Log

06/16/09 13:26:41 [Info]: BlackLight Engine 2.2.1092 initialized
06/16/09 13:26:41 [Info]: OS: 5.1 build 2600 (Service Pack 3)
06/16/09 13:26:41 [Note]: 7019 4
06/16/09 13:26:41 [Note]: 7005 0
06/16/09 13:26:44 [Note]: 7006 0
06/16/09 13:26:44 [Note]: 7022 0
06/16/09 13:26:44 [Note]: 7011 1756
06/16/09 13:26:44 [Note]: 7035 0
06/16/09 13:26:44 [Note]: 7026 0
06/16/09 13:26:44 [Note]: 7026 0
06/16/09 13:26:44 [Note]: FSRAW library version 1.7.1024
06/16/09 13:29:01 [Note]: 7007 0


Checkhd log

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

160826683 KB total disk space.
46240744 KB in 78514 files.
23252 KB in 4781 indexes.
0 KB in bad sectors.
171891 KB in use by the system.
65536 KB occupied by the log file.
114390796 KB available on disk.

4096 bytes in each allocation unit.
40206670 total allocation units on disk.
28597699 allocation units available on disk.


HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:33:16, on 16/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 5233 bytes


Hope this is what you need ...

Jeff

[Dakeyras]

Hi

I now think the current problems that have arisen because the initial ComboFix run without the Comodo Firewall correctly disabled caused this. No irreparable harm done and we should be able to rectify the situation plus hopefully will not need to run the aforementioned again. But we will leave it and its backups etc in-place for the time being as a precaution. When I give the all clear there is a specific methodology required to uninstall ComboFix.

Next:

Temp' disable your Comodo Firewall, this is so it does not hinder the HijackThis Fixes below.

Next:

Please re-open HiJackThis and select Scan. Check the boxes next to all the entries listed below (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

Now click on Fix Checked. Close HiJackThis.

Next:

Now click Start >> Run and type cleanmgr in the box and press OK.

• Ensure the boxes for Temporary Files, Temporary Internet Files and Recycle Bin are checked.
• You can choose to check other boxes if you wish but they are not required.
• Click on OK then Yes.

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

• Click Start >> Run... then type in CMD and click on OK.
• At the Command Prompt C:\ > type the following:
• CD C:\ and hit the Enter/Return key.
• Now type in DEFRAG C: -F
• A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
• This may take some time, when completed the Command Prompt C:\ > will appear.
• Now type in CHKDSK C: /R and hit the Enter/Return key.
• When prompted with:

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)

• Hit the Y key then at the Command Prompt C:\ >
• Type in EXIT and and hit the Enter/Return key.
• Now Reboot(Restart) your computer.

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

You should see a screen like this just after the Post(power on self test) screen:



Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be canceled and you computer will continue to boot-up as normal.

When completed the above, please post back the following:

• How is you computer performing now? Any problems encountered and or any further symptoms?
• A new HijackThis Log.

[jeff1955]

Hi D

System seems to be working fine;
Boot up from off took 35 seconds, no major activity and machine seems quick and smooth.

Apologies for the delay in replying but Defrag and Disc Check took a while!

Log as requested;

HiJackThis Log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:06:20, on 17/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 5307 bytes


Thanks for all this attention

Jeff

[Dakeyras]

Hi

System seems to be working fine;
Boot up from off took 35 seconds, no major activity and machine seems quick and smooth.

Very good.

Apologies for the delay in replying but Defrag and Disc Check took a while!

Not a problem and actually no need to apoligise but I do appreciate both the courtesy and manners. I thought the HDD Maint' might take some time but in the long run it is worth it.

Thanks for all this attention

You're welcome!

OK as a final check it would be prudent to run a online scan as this will determine if your machine is indeed malware free and no other nasties lurking. If anything found we can then take the appropriate action.

There may be a chance that the infections removed by Combofix and currently residing in the quarantine folder may be flagged as will any lurking in the System Restore points, this is not a cause for concern I will add as they will be removed during the ComboFix uninstall procedure.

Run Kaspersky Online AV Scanner:

Go to this Kaspersky website and perform an online antivirus scan.

Note: Use Internet Explorer for this scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:

• How is you computer performing now? Any problems encountered and or any further symptoms?
• Kaspersky report.
• A new HijackThis Log.

[jeff1955]

Hi D

OK - everything is running well, no sluggishness or crashes.

Outlook Express working fine.

So here are the logs;

Kaspersky Scan;

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 17, 2009 21:58:23
Records in database: 2358335
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
W:\
X:\
Y:\
Z:\

Scan statistics:
Files scanned: 77046
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:20:01

No malware has been detected. The scan area is clean.

The selected area was scanned.

HiJackThis Log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:39:20, on 17/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 5356 bytes

Jeff

[Dakeyras]

Hi

OK - everything is running well, no sluggishness or crashes.

Outlook Express working fine.

Next:

Congratulations your computer now appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

• Click on Start >> Run...
• Now type in Combofix /u in the and click OK.
• Note the space between the X and the U, it needs to be there.
• 

Cleanup with OTC:

Please download OTC and save it to desktop. This tool will remove all the tools we used to clean your computer

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed application, Spyware Doctor with AntiVirus automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

• I advise you visit: http://update.microsoft.com/microsof....aspx?ln=en-us
• Install the Active X
• Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
• Start >> All Programs >> Microsoft Updates

Be careful when opening attachments and downloading files:

• Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
• Never open emails from unknown senders.
• Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
• Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Make your Internet Explorer safer:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

• MVPS Hosts File
• Bluetack's Hosts File
• Bluetack's Host Manager
• hpHosts.

Only use one of the above.

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein:

So how did I get infected in the first place?

Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!

Any questions,feel free to ask? If not stay safe!

[jeff1955]

Hi D

Great job - thank you so much for leading me, so brilliantly, through this minefield.

The PC is running very efficiently, boot up took just 34 seconds from off, and software I used within seconds of full bootup ran very smoothly.

I have taken all your advice - though all my settings in Internet Explorer were already as you advised them to be set.

Good luck with all the problems you are about to solve - those troubled users are in good hands

Jeff

[Dakeyras]

Your are very welcome! And thank you